Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup_it_security (1).msi

Overview

General Information

Sample name:setup_it_security (1).msi
Analysis ID:1488350
MD5:4c2ccd8e957c65e8c7ef53c5147066c3
SHA1:6cd11864dfe9f061c2a4e599304934d94f8c36e8
SHA256:3809affad6dc10de4613edb2c172f47b641b0393270a129b24683ccd30fb39d7
Tags:msi
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates files in the system32 config directory
Found suspicious powershell code related to unpacking or dynamic code loading
Installs Task Scheduler Managed Wrapper
Loading BitLocker PowerShell Module
Queries disk data (e.g. SMART data)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Reads the Security eventlog
Reads the System eventlog
Very long command line found
Writes many files with high entropy
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6636 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup_it_security (1).msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 5324 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 4888 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 876136AFC6C35375E8E539CFFE1FB058 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 6452 cmdline: rundll32.exe "C:\Windows\Installer\MSI380B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5781625 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7196 cmdline: rundll32.exe "C:\Windows\Installer\MSI3C81.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5782703 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7280 cmdline: rundll32.exe "C:\Windows\Installer\MSI4B86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5786531 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7908 cmdline: rundll32.exe "C:\Windows\Installer\MSI6210.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5792296 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7332 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F3FE6E8483124E64450C53B6CA0F2865 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 7368 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 7408 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 7432 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 7520 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="it@netnut.io" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000CDtpOIAT" /AgentId="219cfac1-8d31-4145-a06a-203fddd623c4" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 3368 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3463CFE313C5F6D68DABEECB95B6FC58 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 8076 cmdline: rundll32.exe "C:\Windows\Installer\MSI30EA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5845281 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 404 cmdline: rundll32.exe "C:\Windows\Installer\MSI33D9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5845984 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
  • AteraAgent.exe (PID: 7696 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7812 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 6600 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "80051a9b-3773-4781-a860-0a1fa9902094" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 6532 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d9931af6-1b9d-44c1-9ed5-93aefcf99ae5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7476 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "54c44644-c1a6-46f7-9967-66ad9bd7a25c" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000CDtpOIAT MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7824 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d85c307e-1608-4140-9ac8-c846e708cdc6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000CDtpOIAT MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3912 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 8072 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
      • powershell.exe (PID: 1028 cmdline: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1448 cmdline: "cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 412 cmdline: powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • AgentPackageMonitoring.exe (PID: 7356 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8e4f2c67-2211-44b9-9c5e-9e2f7f6d852f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000CDtpOIAT MD5: B50005A1A62AFA85240D1F65165856EB)
      • conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 1528 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7672 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageUpgradeAgent.exe (PID: 7224 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "dfef552b-734e-4f27-813c-95ef61915f0e" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000CDtpOIAT MD5: 6095B43FA565DA44E7A818CFB4BACBA2)
      • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 6328 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageSTRemote.exe (PID: 7324 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "1a1cdc7d-4148-4f2b-a60e-770bbe4296d3" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000CDtpOIAT MD5: A86B9D7A0085275F89BBD0878DBDEE3B)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageTicketing.exe (PID: 7428 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "fd229431-cfd0-4a48-9506-52dcbd66ece5" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000CDtpOIAT MD5: B0E08EBA67B6AAB9E4CD11E3CC0D9988)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageRuntimeInstaller.exe (PID: 2720 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8f7a044c-935b-42c2-8dbd-e9da15a52a0d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000CDtpOIAT MD5: 77C613FFADF1F4B2F50D31EEEC83AF30)
      • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1784 cmdline: "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" / MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMarketplace.exe (PID: 2112 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "276b7b5e-f540-44a1-92da-1957752c8d37" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000CDtpOIAT MD5: 601E661FD5917647D8932600560E6A27)
      • conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageOsUpdates.exe (PID: 4428 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "f202e152-679e-4c58-b00e-ed39c415edc2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000CDtpOIAT MD5: D3DB1B40EB62C5E1ED9A8AF5065C7FCB)
      • conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Agent.Package.Watchdog.exe (PID: 5912 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT MD5: 0B7534A49A757D7525F7FC966D6CAF5F)
      • conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 2116 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "65366384-0818-4769-8be6-b22dcbed5d6a" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000CDtpOIAT MD5: B50005A1A62AFA85240D1F65165856EB)
      • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Agent.Package.Watchdog.exe (PID: 5516 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT MD5: 0B7534A49A757D7525F7FC966D6CAF5F)
      • conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 3844 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "75ab4df9-c133-4579-b7d8-550817dd1a43" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000CDtpOIAT MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageADRemote.exe (PID: 1748 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "c93ea641-684b-4df2-9842-dc4e21d806d8" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000CDtpOIAT MD5: 3180C705182447F4BCC7CE8E2820B25D)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AgentPackageUpgradeAgent.exe (PID: 1312 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: 6095B43FA565DA44E7A818CFB4BACBA2)
    • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\~DFA2C5F5D379769A58.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Config.Msi\5836b9.rbsJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Installer\MSI6210.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 107 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000022.00000002.2022694781.0000021CD9426000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              00000022.00000002.2012563069.0000021CBF5C4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                00000022.00000002.2012563069.0000021CBF4E0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  0000003B.00000002.2410571379.0000021B9F442000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000043.00000002.2504935343.00000226C3150000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 396 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      43.0.AgentPackageTicketing.exe.26325290000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        18.2.AgentPackageAgentInformation.exe.1f414d60000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          50.0.AgentPackageRuntimeInstaller.exe.25870460000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            50.2.AgentPackageRuntimeInstaller.exe.25871560000.3.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              57.2.AgentPackageMarketplace.exe.1ae12980000.3.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 14 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Change PowerShell Policies to an Insecure Level
                                Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, CommandLine: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, CommandLine|base64offset|contains: I~%, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d85c307e-1608-4140-9ac8-c846e708cdc6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000CDtpOIAT, ParentImage: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, ParentProcessId: 7824, ParentProcessName: AgentPackageAgentInformation.exe, ProcessCommandLine: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, ProcessId: 1028, ProcessName: powershell.exe
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3912, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 8072, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding F3FE6E8483124E64450C53B6CA0F2865 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7332, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7368, ProcessName: net.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, CommandLine: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, CommandLine|base64offset|contains: I~%, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d85c307e-1608-4140-9ac8-c846e708cdc6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000CDtpOIAT, ParentImage: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, ParentProcessId: 7824, ParentProcessName: AgentPackageAgentInformation.exe, ProcessCommandLine: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, ProcessId: 1028, ProcessName: powershell.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding F3FE6E8483124E64450C53B6CA0F2865 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7332, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7368, ProcessName: net.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 5836ba.rbf (copy)ReversingLabs: Detection: 15%
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 15%
                                Multi AV Scanner detection for submitted file
                                Source: setup_it_security (1).msiReversingLabs: Detection: 21%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1994BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,34_2_00007FFDF1994BC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1994DE0 CryptReleaseContext,34_2_00007FFDF1994DE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1994E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,34_2_00007FFDF1994E20
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdbAyW source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Primitives\net6.0-Release\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb l:l ,l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 0000002B.00000000.2278377637.0000026325292000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000012.00000002.1907047932.000001F414D62000.00000002.00000001.01000000.00000018.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.3142602040.0000025871562000.00000002.00000001.01000000.00000059.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2453080740.000001AE12982000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: l\System.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000000.2251962582.000001FB5AF12000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb6*G source: rundll32.exe, 00000031.00000003.2500076756.0000000006CBE000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AgentPackageRuntimeInstaller.pdb^ source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B60000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: "a3a\System.ServiceProcess.pdb source: AgentPackageSTRemote.exe, 00000028.00000002.3033204462.000001FFC1360000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2013453944.0000021CBFAB2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000043.00000002.2538936167.00000226C3A22000.00000002.00000001.01000000.00000043.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.PDB source: AgentPackageSTRemote.exe, 00000028.00000002.3033204462.000001FFC138F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000043.00000002.2544015296.00000226C3BA2000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb-a source: AgentPackageADRemote.exe, 00000045.00000002.2605588248.000002AC722E2000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb' source: AgentPackageMarketplace.exe, 00000039.00000002.2448676124.000001AE128B2000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: g.pdb source: AgentPackageMonitoring.exe, 0000003F.00000002.2960856979.000002666C2A2000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 0000003B.00000002.2551999725.0000021BB83D2000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: CreateAgentPackageMonitoring.ThresholdSettings.Thresholds.ThresholdValues.HdUsageThresholdSettingsnt\Packages\AgentPackageMonitoring\Polly.PDB source: AgentPackageMonitoring.exe, 0000003F.00000002.2913714359.000002666B200000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: System.Private.DataContractSerialization.dll.1.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2243451069.00000183BD3E2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\wixca.pdb source: 5836cd.msi.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AgentPackageRuntimeInstaller.pdbpdb source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B60000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000000.1881670916.000001F414442000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2019246639.0000021CD8392000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2500076756.0000000006CBE000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\uica.pdb source: 5836cd.msi.1.dr
                                Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ler.pdb source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B60000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\WixDepCA.pdb source: 5836cd.msi.1.dr
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2857516154.000001FB73FB2000.00000002.00000001.01000000.00000052.sdmp
                                Source: Binary string: m\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000002.2503969919.0000000002497000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageADRemote.exe, 00000045.00000002.2605588248.000002AC722E2000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: D:\a\12\s\AteraNugetPackages\Atera.AgentPackages.Exceptions\Atera.AgentPackages.Exceptions\obj\Release\Atera.AgentPackages.Exceptions.pdbJ,d, V,_CorDllMainmscoree.dll source: AgentPackageADRemote.exe, 00000045.00000002.2609832928.000002AC72792000.00000002.00000001.01000000.0000004D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: setup_it_security (1).msi
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller\obj\Release\AgentPackageRuntimeInstaller.pdb source: AgentPackageRuntimeInstaller.exe, 00000032.00000000.2344551028.0000025870462000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000022.00000002.2013453944.0000021CBFAB2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\net6.0-Release\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000012.00000002.1907047932.000001F414D62000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/net6.0-Release/System.Private.DataContractSerialization.pdb source: System.Private.DataContractSerialization.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.1.dr
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74117000.00000004.00000020.00020000.00000000.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B7A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 0000003B.00000002.2558241228.0000021BB846F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.Security.Cryptography.Cng.ni.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2035966655.00007FFDF1ADA000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.3204781336.00007FFDEE57C000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\net6.0-windows-Release\Microsoft.CSharp.pdb source: Microsoft.CSharp.dll.1.dr
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2020595602.0000021CD85E2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: mC:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.pdbQ source: rundll32.exe, 00000031.00000002.2503969919.0000000002497000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMarketplace\AgentPackageMarketplace\obj\Release\AgentPackageMarketplace.pdb source: AgentPackageMarketplace.exe, 00000039.00000000.2362420559.000001AE120D2000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000022.00000002.2019246639.0000021CD8392000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000002.2504824123.0000000002627000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2500161572.0000000002626000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Microsoft.CSharp.ni.pdb source: Microsoft.CSharp.dll.1.dr
                                Source: Binary string: D:\a\12\s\AteraNugetPackages\Atera.AgentPackages.Exceptions\Atera.AgentPackages.Exceptions\obj\Release\Atera.AgentPackages.Exceptions.pdb source: AgentPackageADRemote.exe, 00000045.00000002.2609832928.000002AC72792000.00000002.00000001.01000000.0000004D.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1751873947.0000024AAF9A2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000000.1881670916.000001F414442000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000022.00000002.2020595602.0000021CD85E2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Cng\net6.0-windows-Release\System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\net6.0-windows-Release\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.26.dr
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbI source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb1 source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdb source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B60000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1751873947.0000024AAF9A2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 00000045.00000000.2456310800.000002AC71F72000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000043.00000000.2450547233.00000226C2FE2000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2243451069.00000183BD3E2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbg source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021837093.0000021CD8732000.00000002.00000001.01000000.00000023.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2020385656.0000021CD8572000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: System.IO.IsolatedStorage.ni.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdbt+ source: System.Xml.XDocument.dll.1.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907392152.000001F414E62000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2300115854.0000023138A10000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907392152.000001F414E62000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021837093.0000021CD8732000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2300115854.0000023138A10000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2572316301.000001AE2B392000.00000002.00000001.01000000.00000048.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2857516154.000001FB73FB2000.00000002.00000001.01000000.00000052.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdbc source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 0000003B.00000000.2376608896.0000021B9F272000.00000002.00000001.01000000.00000037.sdmp, AgentPackageOsUpdates.exe, 0000003B.00000002.2558241228.0000021BB846F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000043.00000002.2544015296.00000226C3BA2000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb4X source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3142602040.0000025871562000.00000002.00000001.01000000.00000059.sdmp
                                Source: Binary string: dows\dll\System.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 0000003B.00000002.2551999725.0000021BB83D2000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/net6.0-Release/Microsoft.Extensions.Primitives.pdb source: AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000002.2509419897.0000000006C90000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb.u source: rundll32.exe, 00000031.00000002.2509419897.0000000006C90000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1789075746.0000024AC9EF2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 0000003B.00000002.2427006674.0000021B9FAA2000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1789075746.0000024AC9EF2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/net6.0-Release/Microsoft.Extensions.Primitives.pdbSHA256*J source: AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: setup_it_security (1).msi
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdba^{^ m^_CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 0000003B.00000002.2427006674.0000021B9FAA2000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000043.00000002.2538936167.00000226C3A22000.00000002.00000001.01000000.00000043.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageMarketplace.exe, 00000039.00000002.2448676124.000001AE128B2000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: AgentPackageMarketplace.exe, 00000039.00000002.2572316301.000001AE2B392000.00000002.00000001.01000000.00000048.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 0000002B.00000000.2278377637.0000026325292000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000031.00000002.2504824123.0000000002627000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2500161572.0000000002626000.00000004.00000020.00020000.00000000.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3F1FFFh12_2_00007FFD9B3F1FAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3F1873h12_2_00007FFD9B3F172D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E4ECBh13_2_00007FFD9B3E4E6B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B404ECBh26_2_00007FFD9B404E5C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B622B10h26_2_00007FFD9B622930

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 18.0.AgentPackageAgentInformation.exe.1f414440000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A44C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/37.2/AGENTPACKAGEAGENTINFORMATI
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEINTERNALPOLLER/23.8/AGENTPACKAGEINTERNALPOLLER.Z
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/23.1/AGENTPACKAGEPROGRAMMANAGE
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/21.7/AGENTPACKAGESTREMOTE.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/26.8/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000C.00000000.1751873947.0000024AAF9A2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4321000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
                                Source: rundll32.exe, 00000004.00000002.1732354769.0000000004615000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A1F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A490C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4965000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004655000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907793752.000001F41507F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1907251597.000001D31B23F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721004000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721114000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CC012F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B47000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8FAF000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004375000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12C22000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12CBE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.0000026600524000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: rundll32.exe, 00000004.00000002.1732354769.0000000004615000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A1F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A490C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4965000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004655000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907793752.000001F41507F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1907251597.000001D31B23F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721004000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210B1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721114000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CC012F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B47000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8FAF000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004375000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12C22000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12CBE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.0000026600524000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.0000026600409000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800705000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.azure.com
                                Source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B8BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/Digi
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredA
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.0000026739470000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.00000267394D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msi, System.Threading.Tasks.dll.26.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, 5836cd.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672104A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720F85000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E38000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2244474523.00000183BD596000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2241813655.00000183BD0E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFE0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739884000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720F85000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B8DD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B8E1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 0000001A.00000002.2581135478.0000026720427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000001A.00000002.2581135478.0000026720427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt&N
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD083000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1909075907.000001F42D610000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1908439541.000001D333BCD000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1908439541.000001D333B30000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crtO
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, 5836cd.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com:80/DigiCertTrustedRootG4.crt
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871BB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871BB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871BB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro8c
                                Source: rundll32.exe, 00000010.00000002.1836950435.0000000006E10000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                                Source: AteraAgent.exe, 0000001A.00000002.3083045471.00000267394D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                                Source: AteraAgent.exe, 0000000C.00000002.1789279032.0000024ACA193000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1787151853.0000024AAFB13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.0000026739470000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.00000267394D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2581135478.00000267203C8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, 5836cd.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C7D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertT
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E38000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2244474523.00000183BD596000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A46E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2241813655.00000183BD0E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4B47000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFE0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlH
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlh
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlz
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B8DD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B8E1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2581135478.0000026720427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: Pubnub.dll0.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl8
                                Source: AteraAgent.exe, 0000001A.00000002.2581135478.0000026720427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl:N
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlV
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlW
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTz
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, 5836cd.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
                                Source: AteraAgent.exe, 0000000C.00000002.1789279032.0000024ACA193000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1787151853.0000024AAFB13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720F85000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210A6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl-7
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E38000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2244474523.00000183BD596000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2241813655.00000183BD0E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFE0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739884000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720F85000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlZ
                                Source: AteraAgent.exe, 0000000C.00000002.1787151853.0000024AAFADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlile
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlk6
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crll
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crln
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.00000267398C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlu5
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, 5836cd.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab;
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/encc
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AgentPackageAgentInformation.exe, 00000012.00000000.1881670916.000001F414442000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2243238047.00000183BD1BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800705000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipv4-weu-oi-ods-cses-e.westeurope.cloudapp.azure.com
                                Source: AgentPackageMarketplace.exe, 00000039.00000002.2572316301.000001AE2B392000.00000002.00000001.01000000.00000048.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: rundll32.exe, 00000031.00000002.2509419897.0000000006C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.microsoft.
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: powershell.exe, 00000024.00000002.2422725544.00000204CCCAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BE5BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.3140600099.000001951007D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.3140600099.00000195101B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                Source: AgentPackageMarketplace.exe, 00000039.00000002.2437398737.000001AE1240F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.c
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.00000267394D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2581135478.0000026720427000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                                Source: AteraAgent.exe, 0000000C.00000002.1789279032.0000024ACA193000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1787151853.0000024AAFADE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2581135478.00000267203C8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.0000026739496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E38000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2244474523.00000183BD596000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A46E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2241813655.00000183BD0E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4B47000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFE0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD083000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFE0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1909075907.000001F42D610000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1908439541.000001D333BCD000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1908439541.000001D333B30000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.0000026739470000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.00000267394D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msi, 5836cd.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B8DD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B8E1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 0000001A.00000002.3083045471.00000267394D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crtH
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crtn
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9DCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2215301309.00000183A3CA1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.0000026739496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.0000026739884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlzF
                                Source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B8BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: powershell.exe, 00000036.00000002.2394542463.0000019500231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A46F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmp, System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Collections.GenericJ
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/System.IO
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Runtime.Serialization
                                Source: AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemV
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemY
                                Source: System.Private.DataContractSerialization.dll.1.drString found in binary or memory: http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w
                                Source: powershell.exe, 00000024.00000002.2281418929.00000204BCE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BD576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000004.00000002.1732354769.0000000004551000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1732354769.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4321000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004591000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004634000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907793752.000001F41500F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1907251597.000001D31B193000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720BE1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BCC41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B781000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8AD8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.00000258000A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2394542463.0000019500001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12BA9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000043.00000002.2546667690.00000226C3C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: powershell.exe, 00000024.00000002.2281418929.00000204BCE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BD576000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013672406.0000021CBFB62000.00000002.00000001.01000000.0000001E.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266005E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: powershell.exe, 00000036.00000002.2394542463.0000019500231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2232940589.00000183BCB41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A46E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4B47000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4621000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672104A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720F85000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E38000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2241813655.00000183BD0E1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD07D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFC0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.00000267398A3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3112170679.0000026739884000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000D.00000002.2244086338.00000183BD525000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                                Source: AteraAgent.exe, 0000000D.00000002.2232940589.00000183BCB41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                                Source: AteraAgent.exe, 0000000D.00000002.2244086338.00000183BD50D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
                                Source: AteraAgent.exe, 0000000D.00000002.2244086338.00000183BD50D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
                                Source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                                Source: AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: rundll32.exe, 00000004.00000002.1732354769.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000010.00000002.1836122126.0000000004634000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDf
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004591000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004634000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907793752.000001F41500F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1907251597.000001D31B193000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721004000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8AD8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8FAF000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1732354769.0000000004551000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1732354769.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004591000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004634000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 00000012.00000002.1907793752.000001F41500F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1907251597.000001D31B193000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8AD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/A
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1732354769.0000000004551000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1732354769.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A46E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004591000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004634000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A43D1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandReportError
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandReportErrored.
                                Source: AgentPackageAgentInformation.exe, 00000012.00000002.1907793752.000001F41500F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1907251597.000001D31B193000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A43A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721004000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A43D1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8AD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRemoteToolStatusWithAccount
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
                                Source: AgentPackageInternalPoller.exe, 00000043.00000002.2546667690.00000226C3C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/219cfac1-8d31-4145-a06a-203fddd62
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/219cfac1-8d31-4145-a06a-203fddd623c4
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8FAF000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000004.00000002.1732354769.0000000004636000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Alerts/AddAlertsFromAgent
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266004A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/monitoring/v1/MonitoringPackage/AddAgentMetrics
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266004A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/monitoring/v1/MonitoringPackage/AddAgentMetrics0
                                Source: AgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12BA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/v1/Provision/scripts?operatingSystem=Windows
                                Source: AgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/v1/Provision/sync
                                Source: Agent.Package.Watchdog.exe, 0000003D.00000002.2397258880.0000016E3723C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-ap
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
                                Source: Agent.Package.Watchdog.exe, 00000041.00000002.2437644613.000001C6F6C88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397258880.0000016E3723C000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2437644613.000001C6F6C88000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                                Source: AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
                                Source: powershell.exe, 00000024.00000002.2281418929.00000204BCC41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2394542463.0000019500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                Source: powershell.exe, 00000024.00000002.2281418929.00000204BDD78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BDF5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BE274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                                Source: powershell.exe, 00000024.00000002.2281418929.00000204BE274000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800648000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.az
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800648000.00000004.00000800.00020000.00000000.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.000002580013D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.azure.com
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.azure.com/api/logs?api-version=2
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800679000.00000004.00000800.00020000.00000000.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.000002580013D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.azure.com/api/logs?api-version=2016-04-0
                                Source: powershell.exe, 00000036.00000002.3140600099.00000195101B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                Source: powershell.exe, 00000036.00000002.3140600099.00000195101B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                Source: powershell.exe, 00000036.00000002.3140600099.00000195101B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C7D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C7D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B47000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.0.1.exe
                                Source: AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.an
                                Source: AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0038D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.anydesk.com/8CQsu9kv/AnyDesk_Custom_Client.msi
                                Source: AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.anydesk.com/8CQsu9kv/AnyDesk_Custom_Client.msi(
                                Source: AgentPackageOsUpdates.exe, 0000003B.00000002.2551999725.0000021BB83D2000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/App-vNext/Polly.git
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907392152.000001F414E62000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021837093.0000021CD8732000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2300115854.0000023138A10000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: powershell.exe, 00000036.00000002.2394542463.0000019500231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Security.Cryptography.Cng.dll.1.dr, System.Reflection.Emit.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Private.DataContractSerialization.dll.1.drString found in binary or memory: https://github.com/dotnet/runtime
                                Source: AteraAgent.exe, 0000000D.00000002.2243451069.00000183BD3E2000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageInternalPoller.exe, 00000043.00000002.2544015296.00000226C3BA2000.00000002.00000001.01000000.00000046.sdmpString found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
                                Source: powershell.exe, 00000024.00000002.2281418929.00000204BE274000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2394542463.0000019500C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000028.00000000.2268161629.000001FFA80D2000.00000002.00000001.01000000.00000029.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021781383.0000021CD8728000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: powershell.exe, 00000024.00000002.2422725544.00000204CCCAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BE5BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.3140600099.000001951007D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.3140600099.00000195101B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                Source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B781000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B8B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AgentPackageUpgradeAgent.exe, 00000026.00000000.2251962582.000001FB5AF12000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Agents/Mac/
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 00000026.00000000.2251962582.000001FB5AF12000.00000002.00000001.01000000.00000027.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 00000026.00000000.2251962582.000001FB5AF12000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 00000026.00000000.2251962582.000001FB5AF12000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A44C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageA
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A458F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg25sb
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAge
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A46F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgenPXY
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentIn
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A458F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgt
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A458F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgt0D0
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.1/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.1/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesma
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/21.7/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/21.7/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721644000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?kFwHeU
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?kFwHeUtqpd
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHear
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?kFwHeU
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip?kFwH
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721644000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?kFwHe
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.2/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026721644000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.2/AgentPackageOsUpdates.zip?kFwHeUt
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/23.1/AgentPackageProgramManage
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/21.7/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/21.7/AgentPackageSTRemote.zip?kFwHeUtqp
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/21.7/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?kFw
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/27.9/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?k
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackaPXY
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AgentPackageSTRemote.exe, 00000028.00000000.2268161629.000001FFA80D2000.00000002.00000001.01000000.00000029.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AgentPackageSTRemote.exe, 00000028.00000000.2268161629.000001FFA80D2000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A46F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A43D1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45D0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A46F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A48F7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=37bd1572-18d4-4b0e-be25-af80b21a6836
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A43D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9254bf6a-57df-4f26-bd7b-e4fc6b728f93
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9b8d3516-71ee-4f57-9a4a-7e2213f9d6fb
                                Source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026720C82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b21d8946-8bcb-4852-b22f-dd85eec2b7e2
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bc923900-060f-46ef-b422-ce5e4abffd8f
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A46F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d2a433d6-688e-49a3-9e19-7baeb35ecd5f
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/219cfac1-8d31-4145-a06a
                                Source: AgentPackageRuntimeInstaller.exe, 00000032.00000000.2344551028.0000025870462000.00000002.00000001.01000000.00000035.sdmpString found in binary or memory: https://s.ods.opinsights.azure.com/api/logs?api-version=2016-04-01
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2020595602.0000021CD85E2000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2020988692.0000021CD8644000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2020595602.0000021CD85E2000.00000002.00000001.01000000.00000021.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: 5836cd.msi.1.drString found in binary or memory: https://wixtoolset.org/
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msiString found in binary or memory: https://www.digicert.com/CPS0
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: AgentPackageMarketplace.exe, 00000039.00000002.2572316301.000001AE2B392000.00000002.00000001.01000000.00000048.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2021781383.0000021CD8728000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907392152.000001F414E62000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021837093.0000021CD8732000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2300115854.0000023138A10000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2572316301.000001AE2B392000.00000002.00000001.01000000.00000048.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2036512634.00007FFDF1B24000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Writes many files with high entropy
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip entropy: 7.99935481254Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip entropy: 7.99933745264Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip entropy: 7.99991937457Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip entropy: 7.99964488126Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip entropy: 7.99969341055Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip entropy: 7.99870723887Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip entropy: 7.9990874153Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip entropy: 7.99970533772Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip entropy: 7.99991289858Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip entropy: 7.99929084246Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip entropy: 7.99935468667Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip entropy: 7.99897258519Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip entropy: 7.99952935828Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip entropy: 7.99988424515Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip entropy: 7.99966017869Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-32.exe entropy: 7.99831158855Jump to dropped file

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: Process Memory Space: powershell.exe PID: 412, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                Very long command line found
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: Commandline size = 2566
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: Commandline size = 2566
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836b3.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI380B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C81.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B86.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DA9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DAA.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DFA.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4F23.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836b5.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836b5.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6210.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836b6.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30EA.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI33D9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7B15.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI897D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI899D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B92.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C10.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA381.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA392.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA42F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA4AD.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836c2.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836c2.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA981.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836c3.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBF7B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC0B4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836c6.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836c6.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEDFF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836c7.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF246.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF2B4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836ca.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836ca.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF390.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF4E9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF612.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6EE.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836cd.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF902.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF971.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836d0.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836d0.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFC31.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFD6A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE08.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE95.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI128.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A6.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-\CustomAction.config
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI380B.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_04306C204_3_04306C20
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_043F00404_3_043F0040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_043F71D04_3_043F71D0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_073659A85_3_073659A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_073650B85_3_073650B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_07364D685_3_07364D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3ECFB813_2_00007FFD9B3ECFB8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3E9C5013_2_00007FFD9B3E9C50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3E9AF213_2_00007FFD9B3E9AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3F900E13_2_00007FFD9B3F900E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3F1D4913_2_00007FFD9B3F1D49
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3F1CE013_2_00007FFD9B3F1CE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F6A9C13_2_00007FFD9B5F6A9C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5FF81113_2_00007FFD9B5FF811
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F264113_2_00007FFD9B5F2641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F486613_2_00007FFD9B5F4866
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0451767816_3_04517678
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0451004016_3_04510040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B40785618_2_00007FFD9B407856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B40860218_2_00007FFD9B408602
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B4011CF18_2_00007FFD9B4011CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B4011FA18_2_00007FFD9B4011FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B41103018_2_00007FFD9B411030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B40BCA818_2_00007FFD9B40BCA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F03FD20_2_00007FFD9B3F03FD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3DE12020_2_00007FFD9B3DE120
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D182820_2_00007FFD9B3D1828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D785620_2_00007FFD9B3D7856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D860220_2_00007FFD9B3D8602
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D11CF20_2_00007FFD9B3D11CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D11FA20_2_00007FFD9B3D11FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E103020_2_00007FFD9B3E1030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3F190D24_2_00007FFD9B3F190D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3F11CF24_2_00007FFD9B3F11CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3F11FA24_2_00007FFD9B3F11FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B40CD4026_2_00007FFD9B40CD40
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B411D7826_2_00007FFD9B411D78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B411D1026_2_00007FFD9B411D10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B612D9C26_2_00007FFD9B612D9C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B61F6CC26_2_00007FFD9B61F6CC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A0B88034_2_00007FFDF1A0B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1AC01E034_2_00007FFDF1AC01E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1AB20E034_2_00007FFDF1AB20E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1AB696034_2_00007FFDF1AB6960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A9320034_2_00007FFDF1A93200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19FF22034_2_00007FFDF19FF220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A1917034_2_00007FFDF1A19170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19811B034_2_00007FFDF19811B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19EF1B034_2_00007FFDF19EF1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1AB50F034_2_00007FFDF1AB50F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A5F3E034_2_00007FFDF1A5F3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A1B37034_2_00007FFDF1A1B370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19A93D034_2_00007FFDF19A93D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A1D35034_2_00007FFDF1A1D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198F34034_2_00007FFDF198F340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198D28434_2_00007FFDF198D284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19EB64734_2_00007FFDF19EB647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF199564034_2_00007FFDF1995640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19CF63034_2_00007FFDF19CF630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198D63434_2_00007FFDF198D634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198955C34_2_00007FFDF198955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198347434_2_00007FFDF1983474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19874B034_2_00007FFDF19874B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1AD184034_2_00007FFDF1AD1840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF199D83034_2_00007FFDF199D830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19DF78034_2_00007FFDF19DF780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1ACF79034_2_00007FFDF1ACF790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19CD77034_2_00007FFDF19CD770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19F36E034_2_00007FFDF19F36E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A2772034_2_00007FFDF1A27720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A2169034_2_00007FFDF1A21690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A756D034_2_00007FFDF1A756D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19EB9F034_2_00007FFDF19EB9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19AD91034_2_00007FFDF19AD910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19E18DA34_2_00007FFDF19E18DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19ABBE034_2_00007FFDF19ABBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1AC3C2034_2_00007FFDF1AC3C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A6DB8034_2_00007FFDF1A6DB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19C9BA034_2_00007FFDF19C9BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A23AF034_2_00007FFDF1A23AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19E7B3034_2_00007FFDF19E7B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19B9A6034_2_00007FFDF19B9A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A37A6034_2_00007FFDF1A37A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19B5AD034_2_00007FFDF19B5AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19B3E1034_2_00007FFDF19B3E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1995E5034_2_00007FFDF1995E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19C9CF034_2_00007FFDF19C9CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A57D2034_2_00007FFDF1A57D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A6BCD034_2_00007FFDF1A6BCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A5DCC034_2_00007FFDF1A5DCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19DFEF034_2_00007FFDF19DFEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A15F2034_2_00007FFDF1A15F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19B9F3034_2_00007FFDF19B9F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1997F3034_2_00007FFDF1997F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19C7E7034_2_00007FFDF19C7E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A1FED034_2_00007FFDF1A1FED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1987EC034_2_00007FFDF1987EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A35EA034_2_00007FFDF1A35EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A27EA034_2_00007FFDF1A27EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A03EB034_2_00007FFDF1A03EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19F224034_2_00007FFDF19F2240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A3C22034_2_00007FFDF1A3C220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A0C11034_2_00007FFDF1A0C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A1A0C034_2_00007FFDF1A1A0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A240A034_2_00007FFDF1A240A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A4831034_2_00007FFDF1A48310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19A231034_2_00007FFDF19A2310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A2A2F034_2_00007FFDF1A2A2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19A033034_2_00007FFDF19A0330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A222B034_2_00007FFDF1A222B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A0060034_2_00007FFDF1A00600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A3E59034_2_00007FFDF1A3E590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A6659034_2_00007FFDF1A66590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A3A5D034_2_00007FFDF1A3A5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1AA05D034_2_00007FFDF1AA05D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19885D434_2_00007FFDF19885D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1ABE5B034_2_00007FFDF1ABE5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19D051034_2_00007FFDF19D0510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A0455034_2_00007FFDF1A04550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198A52434_2_00007FFDF198A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19944DC34_2_00007FFDF19944DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19E64A034_2_00007FFDF19E64A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198E80C34_2_00007FFDF198E80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A1A7E034_2_00007FFDF1A1A7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF199E72034_2_00007FFDF199E720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF199273834_2_00007FFDF1992738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1ABC68034_2_00007FFDF1ABC680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1988A3C34_2_00007FFDF1988A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19DE99034_2_00007FFDF19DE990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A7691034_2_00007FFDF1A76910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF199886034_2_00007FFDF1998860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A4686034_2_00007FFDF1A46860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19828C034_2_00007FFDF19828C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19D88A034_2_00007FFDF19D88A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A2CC0034_2_00007FFDF1A2CC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19D8B9034_2_00007FFDF19D8B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A6AB0034_2_00007FFDF1A6AB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19FCB5034_2_00007FFDF19FCB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19A6A8034_2_00007FFDF19A6A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A4AA7034_2_00007FFDF1A4AA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19C8A6034_2_00007FFDF19C8A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19E0E3034_2_00007FFDF19E0E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1ABCD6034_2_00007FFDF1ABCD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1984DB434_2_00007FFDF1984DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19F4D0034_2_00007FFDF19F4D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A06D2034_2_00007FFDF1A06D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1AD0D3034_2_00007FFDF1AD0D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A48D2034_2_00007FFDF1A48D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1AB4C8034_2_00007FFDF1AB4C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1996CC034_2_00007FFDF1996CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19CACD034_2_00007FFDF19CACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19C902034_2_00007FFDF19C9020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1992F8C34_2_00007FFDF1992F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1A1EFD034_2_00007FFDF1A1EFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19CAFB034_2_00007FFDF19CAFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19ACE7034_2_00007FFDF19ACE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198CEA834_2_00007FFDF198CEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B3E0FAA34_2_00007FFD9B3E0FAA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B3DF73D34_2_00007FFD9B3DF73D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B3E0FDE34_2_00007FFD9B3E0FDE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B3DCC7B34_2_00007FFD9B3DCC7B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B3DBD5134_2_00007FFD9B3DBD51
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B5F2AEB34_2_00007FFD9B5F2AEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B5F31C634_2_00007FFD9B5F31C6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B5FEFA834_2_00007FFD9B5FEFA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B70644D34_2_00007FFD9B70644D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B73513834_2_00007FFD9B735138
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B7058E734_2_00007FFD9B7058E7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B6F403D34_2_00007FFD9B6F403D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B744DA034_2_00007FFD9B744DA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B7034B134_2_00007FFD9B7034B1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B70455734_2_00007FFD9B704557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B731F8834_2_00007FFD9B731F88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B7C0A9734_2_00007FFD9B7C0A97
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B7C4EA834_2_00007FFD9B7C4EA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B7D31F034_2_00007FFD9B7D31F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B96000A34_2_00007FFD9B96000A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B97B79134_2_00007FFD9B97B791
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B973B4C34_2_00007FFD9B973B4C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B96C18C34_2_00007FFD9B96C18C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF1AD1D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF1AD1B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF1AD06B0 appears 145 times
                                Source: System.Reflection.Metadata.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Memory.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Private.CoreLib.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.ComponentModel.Primitives.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-stdio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-math-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-private-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Diagnostics.DiagnosticSource.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Text.Encoding.CodePages.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.ComponentModel.Annotations.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-process-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Security.Cryptography.Primitives.dll.1.drStatic PE information: No import functions for PE file found
                                Source: setup_it_security (1).msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs setup_it_security (1).msi
                                Source: setup_it_security (1).msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs setup_it_security (1).msi
                                Source: setup_it_security (1).msiBinary or memory string: OriginalFilenamewixca.dll\ vs setup_it_security (1).msi
                                Source: Process Memory Space: powershell.exe PID: 412, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                Source: System.Security.Cryptography.Primitives.dll.1.dr, CryptoStream.csCryptographic APIs: 'TransformFinalBlock'
                                Source: System.Security.Cryptography.Primitives.dll.1.dr, CryptoStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                                Source: System.Security.Cryptography.Primitives.dll.1.dr, CryptoStream.csCryptographic APIs: '', 'TransformBlock'
                                Source: System.Security.Cryptography.Primitives.dll.1.dr, SymmetricAlgorithm.csCryptographic APIs: ''
                                Source: System.Diagnostics.DiagnosticSource.dll.1.dr, DistributedContextPropagator.csSuspicious method names: .DistributedContextPropagator.Inject
                                Source: System.Diagnostics.DiagnosticSource.dll.1.dr, DistributedContextPropagator.csSuspicious method names: .DistributedContextPropagator.InjectBaggage
                                Source: System.Diagnostics.DiagnosticSource.dll.1.dr, LegacyPropagator.csSuspicious method names: .LegacyPropagator.Inject
                                Source: System.Diagnostics.DiagnosticSource.dll.1.dr, PassThroughPropagator.csSuspicious method names: .PassThroughPropagator.Inject
                                Source: System.Diagnostics.DiagnosticSource.dll.1.dr, NoOutputPropagator.csSuspicious method names: .NoOutputPropagator.Inject
                                Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winMSI@128/925@0/13
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7524:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7376:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7824:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8116:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3604:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7484:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageosupdates_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8024:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7240:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_ISABUS.HTP.Method
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7336:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6528:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7464:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7792:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2148:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6108:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:480:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageruntimeinstaller_log.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackagemonitoring_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7332:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5344:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_PCI
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7028:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4520:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1520:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8084:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2356:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFA33DC725B6A6D433.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI380B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5781625 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResultC{0} {1} {2} {3} or8ixLi90Mf "{4}"
                                Source: 5836cd.msi.1.drBinary or memory string: SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`WixDependencyRequireFailed to initialize.Failed to initialize the registry functions.ALLUSERSFailed to ensure required dependencies for (re)installing components.WixDependencyCheckFailed to ensure absent dependents for uninstalling components.WixDependencySkipping the dependency check since no dependencies are authored.Failed to check if the WixDependency table exists.Failed to initialize the unique dependency string list.Failed to open the query view for dependencies.Failed to get WixDependency.WixDependency.Failed to get WixDependencyProvider.Component_.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to get WixDependency.ProviderKey.Failed to get WixDependency.MinVersion.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.Attributes.Failed dependency check for %ls.Failed to enumerate all of the rows in the dependency query view.Failed to create the dependency record for message %d.Unexpected message response %d from user or bootstrapper application.Failed to get the ignored dependents.ALLFailed to check if "ALL" was set in IGNOREDEPENDENCIES.Skipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".WixDependencyProviderSkipping the dependents check since no dependency providers are authored.Failed to check if the WixDependencyProvider table exists.Failed to open the query view for dependency providers.Failed to get WixDependencyProvider.WixDependencyProvider.Failed to get WixDependencyProvider.Component.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Attributes.Failed dependents check for %ls.Failed to enumerate all of the rows in the dependency provider query view.;IGNOREDEPENDENCIESFailed to get the string value of the IGNOREDEPENDENCIES property.Failed to create the string dictionary.Failed to ignored dependency "%ls" to the string dictionary.c:\agent\_work\36\s\wix\src\ext\dependencyextension\ca\wixdepca.cppNot enough memory to create the message record.Failed to set the message identifier into the message record.Failed to set the number of dependencies into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the dependency key "%ls" into the messa
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;@
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2035966655.00007FFDF1ADA000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.0000026600583000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO StatisticsSendTime (Timestamp) Values (@timestamp);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.0000026600437000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2035966655.00007FFDF1ADA000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2035966655.00007FFDF1ADA000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2035966655.00007FFDF1ADA000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266004A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2035966655.00007FFDF1ADA000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266004A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2035966655.00007FFDF1ADA000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CC0161000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CC0161000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000022.00000002.2035966655.00007FFDF1ADA000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266006F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;
                                Source: setup_it_security (1).msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: setup_it_security (1).msiReversingLabs: Detection: 21%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup_it_security (1).msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 876136AFC6C35375E8E539CFFE1FB058
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI380B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5781625 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3C81.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5782703 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI4B86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5786531 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F3FE6E8483124E64450C53B6CA0F2865 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="it@netnut.io" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000CDtpOIAT" /AgentId="219cfac1-8d31-4145-a06a-203fddd623c4"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6210.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5792296 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "80051a9b-3773-4781-a860-0a1fa9902094" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d9931af6-1b9d-44c1-9ed5-93aefcf99ae5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "54c44644-c1a6-46f7-9967-66ad9bd7a25c" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d85c307e-1608-4140-9ac8-c846e708cdc6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8e4f2c67-2211-44b9-9c5e-9e2f7f6d852f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "dfef552b-734e-4f27-813c-95ef61915f0e" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "1a1cdc7d-4148-4f2b-a60e-770bbe4296d3" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000CDtpOIAT
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "fd229431-cfd0-4a48-9506-52dcbd66ece5" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3463CFE313C5F6D68DABEECB95B6FC58 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI30EA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5845281 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI33D9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5845984 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8f7a044c-935b-42c2-8dbd-e9da15a52a0d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "276b7b5e-f540-44a1-92da-1957752c8d37" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "f202e152-679e-4c58-b00e-ed39c415edc2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "65366384-0818-4769-8be6-b22dcbed5d6a" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "75ab4df9-c133-4579-b7d8-550817dd1a43" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "c93ea641-684b-4df2-9842-dc4e21d806d8" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 876136AFC6C35375E8E539CFFE1FB058Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F3FE6E8483124E64450C53B6CA0F2865 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="it@netnut.io" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000CDtpOIAT" /AgentId="219cfac1-8d31-4145-a06a-203fddd623c4"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3463CFE313C5F6D68DABEECB95B6FC58 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI380B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5781625 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3C81.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5782703 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI4B86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5786531 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6210.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5792296 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "80051a9b-3773-4781-a860-0a1fa9902094" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d9931af6-1b9d-44c1-9ed5-93aefcf99ae5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "54c44644-c1a6-46f7-9967-66ad9bd7a25c" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8e4f2c67-2211-44b9-9c5e-9e2f7f6d852f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "dfef552b-734e-4f27-813c-95ef61915f0e" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "1a1cdc7d-4148-4f2b-a60e-770bbe4296d3" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "fd229431-cfd0-4a48-9506-52dcbd66ece5" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8f7a044c-935b-42c2-8dbd-e9da15a52a0d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "276b7b5e-f540-44a1-92da-1957752c8d37" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "f202e152-679e-4c58-b00e-ed39c415edc2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "65366384-0818-4769-8be6-b22dcbed5d6a" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "75ab4df9-c133-4579-b7d8-550817dd1a43" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "c93ea641-684b-4df2-9842-dc4e21d806d8" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI30EA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5845281 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI33D9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5845984 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: taskschd.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: sxs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: xmllite.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeSection loaded: winhttp.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: setup_it_security (1).msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdbAyW source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Primitives\net6.0-Release\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb l:l ,l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 0000002B.00000000.2278377637.0000026325292000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000012.00000002.1907047932.000001F414D62000.00000002.00000001.01000000.00000018.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.3142602040.0000025871562000.00000002.00000001.01000000.00000059.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2453080740.000001AE12982000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: l\System.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000000.2251962582.000001FB5AF12000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb6*G source: rundll32.exe, 00000031.00000003.2500076756.0000000006CBE000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AgentPackageRuntimeInstaller.pdb^ source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B60000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: "a3a\System.ServiceProcess.pdb source: AgentPackageSTRemote.exe, 00000028.00000002.3033204462.000001FFC1360000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2013453944.0000021CBFAB2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000043.00000002.2538936167.00000226C3A22000.00000002.00000001.01000000.00000043.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.PDB source: AgentPackageSTRemote.exe, 00000028.00000002.3033204462.000001FFC138F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000043.00000002.2544015296.00000226C3BA2000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb-a source: AgentPackageADRemote.exe, 00000045.00000002.2605588248.000002AC722E2000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb' source: AgentPackageMarketplace.exe, 00000039.00000002.2448676124.000001AE128B2000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: g.pdb source: AgentPackageMonitoring.exe, 0000003F.00000002.2960856979.000002666C2A2000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 0000003B.00000002.2551999725.0000021BB83D2000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: CreateAgentPackageMonitoring.ThresholdSettings.Thresholds.ThresholdValues.HdUsageThresholdSettingsnt\Packages\AgentPackageMonitoring\Polly.PDB source: AgentPackageMonitoring.exe, 0000003F.00000002.2913714359.000002666B200000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: System.Private.DataContractSerialization.dll.1.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2243451069.00000183BD3E2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\wixca.pdb source: 5836cd.msi.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AgentPackageRuntimeInstaller.pdbpdb source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B60000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000000.1881670916.000001F414442000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2019246639.0000021CD8392000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2500076756.0000000006CBE000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\uica.pdb source: 5836cd.msi.1.dr
                                Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ler.pdb source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B60000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\WixDepCA.pdb source: 5836cd.msi.1.dr
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2857516154.000001FB73FB2000.00000002.00000001.01000000.00000052.sdmp
                                Source: Binary string: m\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000002.2503969919.0000000002497000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageADRemote.exe, 00000045.00000002.2605588248.000002AC722E2000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: D:\a\12\s\AteraNugetPackages\Atera.AgentPackages.Exceptions\Atera.AgentPackages.Exceptions\obj\Release\Atera.AgentPackages.Exceptions.pdbJ,d, V,_CorDllMainmscoree.dll source: AgentPackageADRemote.exe, 00000045.00000002.2609832928.000002AC72792000.00000002.00000001.01000000.0000004D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: setup_it_security (1).msi
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller\obj\Release\AgentPackageRuntimeInstaller.pdb source: AgentPackageRuntimeInstaller.exe, 00000032.00000000.2344551028.0000025870462000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000022.00000002.2013453944.0000021CBFAB2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\net6.0-Release\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000012.00000002.1907047932.000001F414D62000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/net6.0-Release/System.Private.DataContractSerialization.pdb source: System.Private.DataContractSerialization.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.1.dr
                                Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: api-ms-win-core-localization-l1-2-0.dll.1.dr
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74117000.00000004.00000020.00020000.00000000.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B7A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 0000003B.00000002.2558241228.0000021BB846F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.Security.Cryptography.Cng.ni.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2035966655.00007FFDF1ADA000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.3204781336.00007FFDEE57C000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\net6.0-windows-Release\Microsoft.CSharp.pdb source: Microsoft.CSharp.dll.1.dr
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2020595602.0000021CD85E2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: mC:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.pdbQ source: rundll32.exe, 00000031.00000002.2503969919.0000000002497000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMarketplace\AgentPackageMarketplace\obj\Release\AgentPackageMarketplace.pdb source: AgentPackageMarketplace.exe, 00000039.00000000.2362420559.000001AE120D2000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000022.00000002.2019246639.0000021CD8392000.00000002.00000001.01000000.0000001F.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000002.2504824123.0000000002627000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2500161572.0000000002626000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Microsoft.CSharp.ni.pdb source: Microsoft.CSharp.dll.1.dr
                                Source: Binary string: D:\a\12\s\AteraNugetPackages\Atera.AgentPackages.Exceptions\Atera.AgentPackages.Exceptions\obj\Release\Atera.AgentPackages.Exceptions.pdb source: AgentPackageADRemote.exe, 00000045.00000002.2609832928.000002AC72792000.00000002.00000001.01000000.0000004D.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1751873947.0000024AAF9A2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000000.1881670916.000001F414442000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000022.00000002.2020595602.0000021CD85E2000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Cng\net6.0-windows-Release\System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\net6.0-windows-Release\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.26.dr
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbI source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb1 source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdb source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871B60000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1751873947.0000024AAF9A2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 00000045.00000000.2456310800.000002AC71F72000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000043.00000000.2450547233.00000226C2FE2000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2243451069.00000183BD3E2000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbg source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021837093.0000021CD8732000.00000002.00000001.01000000.00000023.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000022.00000002.2020385656.0000021CD8572000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: System.IO.IsolatedStorage.ni.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdbt+ source: System.Xml.XDocument.dll.1.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907392152.000001F414E62000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2300115854.0000023138A10000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907392152.000001F414E62000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021837093.0000021CD8732000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2300115854.0000023138A10000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2572316301.000001AE2B392000.00000002.00000001.01000000.00000048.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2857516154.000001FB73FB2000.00000002.00000001.01000000.00000052.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdbc source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 0000003B.00000000.2376608896.0000021B9F272000.00000002.00000001.01000000.00000037.sdmp, AgentPackageOsUpdates.exe, 0000003B.00000002.2558241228.0000021BB846F000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000043.00000002.2544015296.00000226C3BA2000.00000002.00000001.01000000.00000046.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000003.2503536266.00000000025C5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504570311.00000000025C5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb4X source: AgentPackageRuntimeInstaller.exe, 00000032.00000002.3142602040.0000025871562000.00000002.00000001.01000000.00000059.sdmp
                                Source: Binary string: dows\dll\System.pdb source: rundll32.exe, 00000031.00000003.2500161572.0000000002638000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2504824123.0000000002638000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 0000003B.00000002.2551999725.0000021BB83D2000.00000002.00000001.01000000.00000047.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/net6.0-Release/Microsoft.Extensions.Primitives.pdb source: AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000031.00000002.2509419897.0000000006C90000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb.u source: rundll32.exe, 00000031.00000002.2509419897.0000000006C90000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1789075746.0000024AC9EF2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 0000003B.00000002.2427006674.0000021B9FAA2000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1789075746.0000024AC9EF2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Primitives/net6.0-Release/Microsoft.Extensions.Primitives.pdbSHA256*J source: AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: setup_it_security (1).msi
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdba^{^ m^_CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 0000003B.00000002.2427006674.0000021B9FAA2000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000043.00000002.2538936167.00000226C3A22000.00000002.00000001.01000000.00000043.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageMarketplace.exe, 00000039.00000002.2448676124.000001AE128B2000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: AgentPackageMarketplace.exe, 00000039.00000002.2572316301.000001AE2B392000.00000002.00000001.01000000.00000048.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 0000002B.00000000.2278377637.0000026325292000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000031.00000002.2504824123.0000000002627000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2500161572.0000000002626000.00000004.00000020.00020000.00000000.sdmp

                                Data Obfuscation

                                barindex
                                Found suspicious powershell code related to unpacking or dynamic code loading
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($license)) | ConvertFrom-Json$licenseType = $decodedLicense.LicenseType$userId = $decodedLicense.Metadata.UserId$identitiesRegkey = Get-ItemProperty -Path "HKCU:\SOFTWARE\Micros
                                Source: System.ServiceProcess.dll.1.drStatic PE information: 0xAF02E8D7 [Tue Jan 16 20:04:39 2063 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1991910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,34_2_00007FFDF1991910
                                Source: hostfxr.dll.1.drStatic PE information: section name: _RDATA
                                Source: coreclr.dll.1.drStatic PE information: section name: .CLR_UEF
                                Source: coreclr.dll.1.drStatic PE information: section name: .didat
                                Source: coreclr.dll.1.drStatic PE information: section name: Section
                                Source: coreclr.dll.1.drStatic PE information: section name: _RDATA
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_043F4ECF push dword ptr [esp+ecx*2-75h]; ret 4_3_043F4ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F0C51 push eax; ret 13_2_00007FFD9B5F0C74
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F0421 push eax; ret 13_2_00007FFD9B5F0444
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F5FE4 push eax; ret 13_2_00007FFD9B5F6014
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F0296 push es; iretd 13_2_00007FFD9B5F0298
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F02E8 push es; iretd 13_2_00007FFD9B5F02E9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5F196C push eax; ret 13_2_00007FFD9B5F1984
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_04514ECF push dword ptr [esp+ecx*2-75h]; ret 16_3_04514ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B40D5C9 push ds; retf 5F52h18_2_00007FFD9B40D92F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B4000BD pushad ; iretd 18_2_00007FFD9B4000C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B4155BB push esp; iretd 18_2_00007FFD9B4155D9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3DD5C9 push ds; retf 5F55h20_2_00007FFD9B3DD92F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3D00BD pushad ; iretd 20_2_00007FFD9B3D00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E55BB push esp; iretd 20_2_00007FFD9B3E55D9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3F00BD pushad ; iretd 24_2_00007FFD9B3F00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B40A650 push eax; retf 26_2_00007FFD9B40A661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B40A64A push eax; retf 26_2_00007FFD9B40A661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B4125F2 push eax; iretd 26_2_00007FFD9B412631
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B412DFA push FFFFFFE8h; retf 26_2_00007FFD9B412EF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B6168FB push eax; retf 26_2_00007FFD9B61723D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B611831 push eax; ret 26_2_00007FFD9B611854
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B615407 pushad ; iretd 26_2_00007FFD9B6155CD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B612D7C push eax; ret 26_2_00007FFD9B612D94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B617214 push eax; retf 26_2_00007FFD9B61723D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B6150A8 pushad ; iretd 26_2_00007FFD9B6155CD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B61506F pushad ; iretd 26_2_00007FFD9B6155CD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19BFAB0 push rbp; ret 34_2_00007FFDF19BFAB1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19A8961 push r8; ret 34_2_00007FFDF19A8963
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B3D8426 push eax; ret 34_2_00007FFD9B3D846D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B5F2408 push es; ret 34_2_00007FFD9B5F2557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFD9B744DA0 push esi; retf 34_2_00007FFD9B7459D7
                                Source: System.Text.Encoding.CodePages.dll.1.drStatic PE information: section name: .text entropy: 7.518734802354905

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI899D.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 5836bc.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA392.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI380B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 5836ba.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\dotnet.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C10.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBF7B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7B15.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6EE.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B92.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 5836bd.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA42F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA981.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA4AD.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEDFF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C81.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE95.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A6.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFC31.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30EA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B86.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF246.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF902.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836b5.msi5836c0.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI33D9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6210.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF4E9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 5836bf.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 5836be.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4F23.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DFA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFD6A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF390.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DAA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA392.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFD6A.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA42F.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C81.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF390.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6210.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7B15.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI380B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI4B86.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE95.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6EE.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF4E9.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF246.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI30EA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF902.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI899D.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1A6.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA981.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFC31.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI380B.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI30EA.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6210.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA4AD.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DAA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEDFF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B92.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4F23.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5836b5.msi5836c0.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI33D9.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C10.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B86.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI33D9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBF7B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3C81.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4DFA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Loading BitLocker PowerShell Module
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,34_2_00007FFDF198A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 24AB14B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 24AC9680000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 183A4210000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 183BC320000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1F414790000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1F42CF50000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1D31AE10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1D333110000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1702A010000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 17042620000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 26720A20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 26738BE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1BC4A820000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1BC62E30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 21CBF4B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 21CD7BC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1FB5B240000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1FB73780000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 1FFA8680000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 1FFC0A60000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 2311FCD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 23138230000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 26325A40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 2633DB30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeMemory allocated: 25870870000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeMemory allocated: 25870E10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeMemory allocated: 1AE12310000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeMemory allocated: 1AE2A9B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 21B9F6B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 21BB7C00000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 2666A3D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 2666AA00000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 226C3340000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 226DBBF0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMemory allocated: 2AC722B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMemory allocated: 2AC72930000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599718
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599373
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599263
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598668
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598554
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598450
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597793
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597061
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596952
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596732
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596605
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596494
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596385
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596279
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596062
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595952
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595721
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595483
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595151
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594715
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594585
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594482
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593996
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593682
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593149
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592613
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592065
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591772
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591528
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599889
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599439
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599324
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598999
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598434
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598303
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597314
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596995
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596882
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596183
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595492
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595358
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595178
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595061
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594949
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594817
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594348
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594004
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593842
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593120
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592657
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592309
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591858
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591739
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591622
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591496
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591166
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590626
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590429
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590105
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589961
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589461
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589301
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589013
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588655
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588530
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588306
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588014
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587616
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587487
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587357
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587215
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587068
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586801
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585753
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585464
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585339
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585214
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584405
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 598583
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2361
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 7249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 5221
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 4331
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1482
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1786
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 2253
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6726
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2784
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 7307
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 2418
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 8308
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 1078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeWindow / User API: threadDelayed 8433
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2971
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeWindow / User API: threadDelayed 1269
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 5605
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI899D.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 5836bc.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA392.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4B86.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI380B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI30EA.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\dotnet.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI380B.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8C10.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBF7B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI30EA.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7B15.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI380B.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF6EE.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI380B.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8B92.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 5836bd.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C81.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI30EA.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4B86.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA42F.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA981.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6210.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA4AD.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEDFF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C81.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6210.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4B86.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFE95.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI33D9.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1A6.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFC31.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI30EA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4B86.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6210.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C81.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF246.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF902.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6210.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeDropped PE file which has not been started: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\5836b5.msi5836c0.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI33D9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C81.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6210.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4B86.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-32.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF4E9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7240Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7572Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7540Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7748Thread sleep count: 2361 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7748Thread sleep count: 7249 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7960Thread sleep count: 31 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7960Thread sleep time: -28592453314249787s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7960Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7996Thread sleep time: -160000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8004Thread sleep time: -3689348814741908s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7988Thread sleep time: -180000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 8044Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7316Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7252Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7312Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7188Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1520Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7608Thread sleep count: 5221 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1360Thread sleep count: 33 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1360Thread sleep time: -30437127721620741s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7956Thread sleep time: -110000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7904Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7888Thread sleep count: 4331 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7948Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8040Thread sleep count: 1482 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8040Thread sleep count: 182 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 8084Thread sleep count: 1786 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7116Thread sleep time: -9223372036854770s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7116Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5548Thread sleep count: 2253 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5952Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6556Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep count: 6726 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep count: 2784 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep time: -9223372036854770s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 6616Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7812Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7304Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep count: 35 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -32281802128991695s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6536Thread sleep count: 7307 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -599718s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -599593s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -599484s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -599373s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -599263s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -599140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -599031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6536Thread sleep count: 2418 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -598922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -598797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -598668s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -598554s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -598450s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -598343s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -598234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -598125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -598015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -597900s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -597793s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -597171s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -597061s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -596952s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -596843s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -596732s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -596605s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -596494s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -596385s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -596279s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -596171s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -596062s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -595952s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -595843s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -595721s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -595593s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -595483s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -595375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -595265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -595151s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -595046s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -594937s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -594828s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -594715s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -594585s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -594482s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -594375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -594235s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -594109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -593996s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -593812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -593682s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -593547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -593406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -593265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -593149s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -592984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -592859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -592749s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -592613s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -592468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -592359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -592234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -592065s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -591890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -591772s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -591640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 6520Thread sleep time: -591528s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 6444Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1420Thread sleep count: 8308 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -23980767295822402s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1420Thread sleep count: 1078 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -599889s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -599781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -599671s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -599562s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -599439s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -599324s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -599219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -599109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -598999s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -598890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -598781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -598661s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -598547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -598434s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -598303s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -598188s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -598063s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -597938s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -597797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -597625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -597469s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -597314s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -597125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -596995s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -596882s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -596703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -596578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -596468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -596330s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -596183s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -596078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -595953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -595766s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -595609s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -595492s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -595358s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -595178s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -595061s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -594949s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -594817s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -594625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -594477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -594348s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -594219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -594004s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -593842s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -593641s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -593484s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -593266s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -593120s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -592969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -592797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -592657s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -592309s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -591968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -591858s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -591739s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -591622s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -591496s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -591344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -591166s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -591000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -590828s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -590626s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -590429s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -590250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -590105s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -589961s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -589797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -589609s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -589461s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -589301s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -589171s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -589013s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -588890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -588781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -588655s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -588530s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -588421s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -588306s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -588141s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -588014s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -587875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -587749s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -587616s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -587487s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -587357s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -587215s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -587068s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -586937s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -586801s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -586594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -586406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -586203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -585906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -585753s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -585594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -585464s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -585339s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -585214s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -585047s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -584906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -584780s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -584672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -584546s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6072Thread sleep time: -584405s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 4408Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2504Thread sleep count: 8433 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 908Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 7972Thread sleep count: 159 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -100000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -99865s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -99672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -99510s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -99397s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -99265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -99153s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -99030s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -98899s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -98754s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 5268Thread sleep time: -98531s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3664Thread sleep count: 2971 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3284Thread sleep time: -2767011611056431s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136Thread sleep count: 321 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1464Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 2332Thread sleep count: 1269 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 4008Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 4008Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 4008Thread sleep time: -598583s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 6100Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 3900Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 4128Thread sleep count: 189 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 8188Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2032Thread sleep count: 5605 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 4124Thread sleep time: -12912720851596678s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 4124Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2816Thread sleep count: 196 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 8004Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7720Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 8020Thread sleep count: 264 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 648Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 7544Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 3060Thread sleep time: -1844674407370954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile opened: PhysicalDrive0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599718
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599373
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599263
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598668
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598554
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598450
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597793
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597061
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596952
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596732
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596605
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596494
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596385
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596279
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596062
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595952
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595721
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595483
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595151
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594715
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594585
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594482
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593996
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593682
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593149
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592613
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592065
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591772
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591528
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599889
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599439
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599324
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598999
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598434
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598303
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597314
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596995
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596882
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596183
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595492
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595358
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595178
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595061
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594949
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594817
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594348
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594004
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593842
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593120
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592657
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592309
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591858
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591739
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591622
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591496
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591166
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590626
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590429
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590105
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589961
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589461
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589301
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589013
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588655
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588530
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588306
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588014
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587616
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587487
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587357
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587215
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587068
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586801
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585753
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585464
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585339
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585214
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 584405
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 100000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99865
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99397
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99153
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 98899
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 98754
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 98531
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 598583
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 6VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9DCC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9E1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD083000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: rundll32.exe, 00000031.00000002.2504824123.0000000002627000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2500161572.0000000002626000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                                Source: AteraAgent.exe, 0000000D.00000002.2232940589.00000183BCB41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,12/
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2019485559.0000021CD849C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                                Source: rundll32.exe, 00000004.00000002.1731321619.00000000026A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1834632231.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1909075907.000001F42D610000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.3083045471.00000267394D7000.00000004.00000020.00020000.00000000.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.3145204679.0000025871676000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2558229482.000001AE2B204000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2913714359.000002666B200000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000043.00000002.2620317509.00000226DC2B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB7410E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaa
                                Source: AgentPackageSTRemote.exe, 00000028.00000002.3033204462.000001FFC12FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll33
                                Source: AgentPackageAgentInformation.exe, 00000012.00000000.1881670916.000001F414442000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                Source: AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageADRemote.exe, 00000045.00000002.2605588248.000002AC722E2000.00000002.00000001.01000000.0000004C.sdmpBinary or memory string: vmware
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013256721.0000021CBFA62000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2448676124.000001AE128B2000.00000002.00000001.01000000.0000003D.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2605588248.000002AC722E2000.00000002.00000001.01000000.0000004C.sdmpBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: AteraAgent.exe, 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWR
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,1
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                                Source: AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC001C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineX
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                                Source: AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                                Source: AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.1908439541.000001D333B30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnn
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1991910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,34_2_00007FFDF1991910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19CB9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,34_2_00007FFDF19CB9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1991910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,34_2_00007FFDF1991910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF1987A84 GetProcessHeap,34_2_00007FFDF1987A84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00007FFDF198ACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Bypasses PowerShell execution policy
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="it@netnut.io" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000CDtpOIAT" /AgentId="219cfac1-8d31-4145-a06a-203fddd623c4"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "80051a9b-3773-4781-a860-0a1fa9902094" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d9931af6-1b9d-44c1-9ed5-93aefcf99ae5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "54c44644-c1a6-46f7-9967-66ad9bd7a25c" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8e4f2c67-2211-44b9-9c5e-9e2f7f6d852f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "dfef552b-734e-4f27-813c-95ef61915f0e" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "1a1cdc7d-4148-4f2b-a60e-770bbe4296d3" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "fd229431-cfd0-4a48-9506-52dcbd66ece5" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8f7a044c-935b-42c2-8dbd-e9da15a52a0d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "276b7b5e-f540-44a1-92da-1957752c8d37" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "f202e152-679e-4c58-b00e-ed39c415edc2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "65366384-0818-4769-8be6-b22dcbed5d6a" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "75ab4df9-c133-4579-b7d8-550817dd1a43" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "c93ea641-684b-4df2-9842-dc4e21d806d8" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000CDtpOIAT
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "80051a9b-3773-4781-a860-0a1fa9902094" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d9931af6-1b9d-44c1-9ed5-93aefcf99ae5" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "54c44644-c1a6-46f7-9967-66ad9bd7a25c" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d85c307e-1608-4140-9ac8-c846e708cdc6" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8e4f2c67-2211-44b9-9c5e-9e2f7f6d852f" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "dfef552b-734e-4f27-813c-95ef61915f0e" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "1a1cdc7d-4148-4f2b-a60e-770bbe4296d3" agent-api.atera.com/production 443 or8ixli90mf "downloadifneeded" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "fd229431-cfd0-4a48-9506-52dcbd66ece5" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageruntimeinstaller\agentpackageruntimeinstaller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8f7a044c-935b-42c2-8dbd-e9da15a52a0d" agent-api.atera.com/production 443 or8ixli90mf "eyjdb21tyw5ktmftzsi6imluc3rhbgxkb3ruzxqilcjeb3rozxrwzxjzaw9uijoini4wljmyiiwitwfjqvjnrg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3bylznimtfizdm4ltu4zmqtndc4my05zddmlwuxoguwnda5zmu2ys9hm2rmngm3zwjmzjhmyzjjnjdkn2m5zju1mthmyjdmzc9kb3ruzxqtcnvudgltzs02ljaumzitb3n4lwfybty0lnbrzyisik1hy1g2nervd25sb2fkvxjsijoiahr0chm6ly9kb3dubg9hzc52axn1ywxzdhvkaw8ubwljcm9zb2z0lmnvbs9kb3dubg9hzc9wci9hytbimwy3ms04zgzjltrimwitotuyns0ymjq5y2q0n2nkn2qvzwrkndjjm2yyymyxmtewnjczntvhztfkndu5ogzhntevzg90bmv0lxj1bnrpbwutni4wljmylw9zec14njqucgtniiwiv2luqvjnrg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3byl2i2zgiymjyxltqyodgtndc0zi04nzyyltrlzta2ymnimtiyny9logixndu4zwe5zjgyyjkwztyzymu4zmu4yjlmmjc3ns9kb3ruzxqtcnvudgltzs02ljaumzitd2lulwfybty0lmv4zsisildpblg2nervd25sb2fkvxjsijoiahr0chm6ly9kb3dubg9hzc52axn1ywxzdhvkaw8ubwljcm9zb2z0lmnvbs9kb3dubg9hzc9wci80nte1ywfhys1jn2q1ltqwymytyjdmzc1mndc2zdzlytnimwevyzu0nwvhotjkymq1mzc3ntnhzwziotm3ndc4zmq1mzivzg90bmv0lxj1bnrpbwutni4wljmylxdpbi14njquzxhliiwiv2luwdg2rg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3bylzq4zwrkztflltflogytngrini1ingrjlwm4odi1ntzkzge0yi8wodrhzjllntq2odzmnzbhogrhzwnlytjkmmziztjjyi9kb3ruzxqtcnvudgltzs02ljaumzitd2lulxg4ni5leguilcjnywnbuk1dagvja3n1bsi6imszrlzuuddfq25zuwditm92ztbvzmfvnxgzvfvhvdzkofk3tmfwbtzpzwpunxbpvxnozlcwczc1qkjhvur6t3hrnmxxl01bofjnm2pqtvfiai9eb3lrpt0ilcjnywnynjrdagvja3n1bsi6ijz2buxdevfpsnbrukftsdmxunryze9tsnfuqkzexhuwmdjcz1vgewxzn3hjsldvwmzcdtawmkjuc25wwwtrc2jiywv0txvucm8xawrmcdhsvnl6rje4nmflqunoskznut09iiwiv2luqvjnq2hly2tzdw0ioij3eg02bwxhzkdzwxpptmh4wvblsw85a3rbvkn0wc94mgvua0s0rjawuhjqmm9fsti3axfpnth2akfeohpitumwenrynnbbwwznb0hemxoyczyzcm5sqt09iiwiv2luwdy0q2hly2tzdw0ioii1ry9movhsm2j0r0zrcgfoahptdkvdcvnib3j1d0fhztzvdkk4azfnywfvb3nirmr5nk4xu3nhdfb2nepusus4umxpvutushu2nfzmthrcb1rwthfout09iiwiv2luwdg2q2hly2tzdw0ioijtzu51svx1mdayqkhmatm0l0jql1zkchfqb2faevzdy1zlvnnhqudtalc5dwjyeufrz3pkz2wws2xjnenut2ljz01mb2r4dvnvcu9sevrjbudzwmvgszlmbw1rpt0ilcjxb3jrc3bhy2vjzci6imjmmgnlndlkltc3y2ytndcyms1izjcwltu3njg2mzgzyzlhyiisikxvz05hbwuioijeb3rozxrsdw50aw1lsw5zdgfsbgf0aw9uumvwb3j0iiwiu2hhcmvks2v5ijoialvjuy9uounsvkrls3hzzzrvcjnhq2hov1f1y1k3ufz2d2cwekh1cupzy3juamprmkx3szzvamz1n2nbmk5wckfsmhivu1jbwepzwwxkuetlrnlls1e9psj9" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemarketplace\agentpackagemarketplace.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "276b7b5e-f540-44a1-92da-1957752c8d37" agent-api.atera.com/production 443 or8ixli90mf "agentprovision" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "f202e152-679e-4c58-b00e-ed39c415edc2" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "c:\program files (x86)\atera networks\ateraagent\packages\agent.package.watchdog\agent.package.watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/production 443 or8ixli90mf "eyjbcmd1bwvudhmioij7xhuwmdiyq29tbwfuze5hbwvcdtawmji6xhuwmdiybwfpbnrlbmfuy2vcdtawmjisxhuwmdiyrw5hymxlzfx1mdaymjp0cnvllfx1mdaymljlcgvhdeludgvydmfstwludxrlc1x1mdaymjoxmcxcdtawmjjeyxlzsw50zxj2ywxcdtawmji6msxcdtawmjjszxblyxredxjhdglvbkrhexncdtawmji6mx0ifq==" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "65366384-0818-4769-8be6-b22dcbed5d6a" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "c:\program files (x86)\atera networks\ateraagent\packages\agent.package.watchdog\agent.package.watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/production 443 or8ixli90mf "eyjbcmd1bwvudhmioij7xhuwmdiyq29tbwfuze5hbwvcdtawmji6xhuwmdiybwfpbnrlbmfuy2vcdtawmjisxhuwmdiyrw5hymxlzfx1mdaymjp0cnvllfx1mdaymljlcgvhdeludgvydmfstwludxrlc1x1mdaymjoxmcxcdtawmjjeyxlzsw50zxj2ywxcdtawmji6msxcdtawmjjszxblyxredxjhdglvbkrhexncdtawmji6mx0ifq==" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "75ab4df9-c133-4579-b7d8-550817dd1a43" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageadremote\agentpackageadremote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "c93ea641-684b-4df2-9842-dc4e21d806d8" agent-api.atera.com/production 443 or8ixli90mf "eyjbzenvbw1hbmruexblijo1lcjjbnn0ywxsyxrpb25gawxlvxjsijoiahr0chm6ly9nzxquyw55zgvzay5jb20voenrc3u5a3yvqw55rgvza19ddxn0b21fq2xpzw50lm1zasisikzvcmnlsw5zdgfsbci6zmfsc2usilrhcmdldfzlcnnpb24ioiiifq==" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "80051a9b-3773-4781-a860-0a1fa9902094" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d9931af6-1b9d-44c1-9ed5-93aefcf99ae5" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "54c44644-c1a6-46f7-9967-66ad9bd7a25c" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8e4f2c67-2211-44b9-9c5e-9e2f7f6d852f" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "dfef552b-734e-4f27-813c-95ef61915f0e" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "1a1cdc7d-4148-4f2b-a60e-770bbe4296d3" agent-api.atera.com/production 443 or8ixli90mf "downloadifneeded" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "fd229431-cfd0-4a48-9506-52dcbd66ece5" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageruntimeinstaller\agentpackageruntimeinstaller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8f7a044c-935b-42c2-8dbd-e9da15a52a0d" agent-api.atera.com/production 443 or8ixli90mf "eyjdb21tyw5ktmftzsi6imluc3rhbgxkb3ruzxqilcjeb3rozxrwzxjzaw9uijoini4wljmyiiwitwfjqvjnrg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3bylznimtfizdm4ltu4zmqtndc4my05zddmlwuxoguwnda5zmu2ys9hm2rmngm3zwjmzjhmyzjjnjdkn2m5zju1mthmyjdmzc9kb3ruzxqtcnvudgltzs02ljaumzitb3n4lwfybty0lnbrzyisik1hy1g2nervd25sb2fkvxjsijoiahr0chm6ly9kb3dubg9hzc52axn1ywxzdhvkaw8ubwljcm9zb2z0lmnvbs9kb3dubg9hzc9wci9hytbimwy3ms04zgzjltrimwitotuyns0ymjq5y2q0n2nkn2qvzwrkndjjm2yyymyxmtewnjczntvhztfkndu5ogzhntevzg90bmv0lxj1bnrpbwutni4wljmylw9zec14njqucgtniiwiv2luqvjnrg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3byl2i2zgiymjyxltqyodgtndc0zi04nzyyltrlzta2ymnimtiyny9logixndu4zwe5zjgyyjkwztyzymu4zmu4yjlmmjc3ns9kb3ruzxqtcnvudgltzs02ljaumzitd2lulwfybty0lmv4zsisildpblg2nervd25sb2fkvxjsijoiahr0chm6ly9kb3dubg9hzc52axn1ywxzdhvkaw8ubwljcm9zb2z0lmnvbs9kb3dubg9hzc9wci80nte1ywfhys1jn2q1ltqwymytyjdmzc1mndc2zdzlytnimwevyzu0nwvhotjkymq1mzc3ntnhzwziotm3ndc4zmq1mzivzg90bmv0lxj1bnrpbwutni4wljmylxdpbi14njquzxhliiwiv2luwdg2rg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3bylzq4zwrkztflltflogytngrini1ingrjlwm4odi1ntzkzge0yi8wodrhzjllntq2odzmnzbhogrhzwnlytjkmmziztjjyi9kb3ruzxqtcnvudgltzs02ljaumzitd2lulxg4ni5leguilcjnywnbuk1dagvja3n1bsi6imszrlzuuddfq25zuwditm92ztbvzmfvnxgzvfvhvdzkofk3tmfwbtzpzwpunxbpvxnozlcwczc1qkjhvur6t3hrnmxxl01bofjnm2pqtvfiai9eb3lrpt0ilcjnywnynjrdagvja3n1bsi6ijz2buxdevfpsnbrukftsdmxunryze9tsnfuqkzexhuwmdjcz1vgewxzn3hjsldvwmzcdtawmkjuc25wwwtrc2jiywv0txvucm8xawrmcdhsvnl6rje4nmflqunoskznut09iiwiv2luqvjnq2hly2tzdw0ioij3eg02bwxhzkdzwxpptmh4wvblsw85a3rbvkn0wc94mgvua0s0rjawuhjqmm9fsti3axfpnth2akfeohpitumwenrynnbbwwznb0hemxoyczyzcm5sqt09iiwiv2luwdy0q2hly2tzdw0ioii1ry9movhsm2j0r0zrcgfoahptdkvdcvnib3j1d0fhztzvdkk4azfnywfvb3nirmr5nk4xu3nhdfb2nepusus4umxpvutushu2nfzmthrcb1rwthfout09iiwiv2luwdg2q2hly2tzdw0ioijtzu51svx1mdayqkhmatm0l0jql1zkchfqb2faevzdy1zlvnnhqudtalc5dwjyeufrz3pkz2wws2xjnenut2ljz01mb2r4dvnvcu9sevrjbudzwmvgszlmbw1rpt0ilcjxb3jrc3bhy2vjzci6imjmmgnlndlkltc3y2ytndcyms1izjcwltu3njg2mzgzyzlhyiisikxvz05hbwuioijeb3rozxrsdw50aw1lsw5zdgfsbgf0aw9uumvwb3j0iiwiu2hhcmvks2v5ijoialvjuy9uounsvkrls3hzzzrvcjnhq2hov1f1y1k3ufz2d2cwekh1cupzy3juamprmkx3szzvamz1n2nbmk5wckfsmhivu1jbwepzwwxkuetlrnlls1e9psj9" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemarketplace\agentpackagemarketplace.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "276b7b5e-f540-44a1-92da-1957752c8d37" agent-api.atera.com/production 443 or8ixli90mf "agentprovision" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "f202e152-679e-4c58-b00e-ed39c415edc2" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "c:\program files (x86)\atera networks\ateraagent\packages\agent.package.watchdog\agent.package.watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/production 443 or8ixli90mf "eyjbcmd1bwvudhmioij7xhuwmdiyq29tbwfuze5hbwvcdtawmji6xhuwmdiybwfpbnrlbmfuy2vcdtawmjisxhuwmdiyrw5hymxlzfx1mdaymjp0cnvllfx1mdaymljlcgvhdeludgvydmfstwludxrlc1x1mdaymjoxmcxcdtawmjjeyxlzsw50zxj2ywxcdtawmji6msxcdtawmjjszxblyxredxjhdglvbkrhexncdtawmji6mx0ifq==" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "65366384-0818-4769-8be6-b22dcbed5d6a" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "c:\program files (x86)\atera networks\ateraagent\packages\agent.package.watchdog\agent.package.watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/production 443 or8ixli90mf "eyjbcmd1bwvudhmioij7xhuwmdiyq29tbwfuze5hbwvcdtawmji6xhuwmdiybwfpbnrlbmfuy2vcdtawmjisxhuwmdiyrw5hymxlzfx1mdaymjp0cnvllfx1mdaymljlcgvhdeludgvydmfstwludxrlc1x1mdaymjoxmcxcdtawmjjeyxlzsw50zxj2ywxcdtawmji6msxcdtawmjjszxblyxredxjhdglvbkrhexncdtawmji6mx0ifq==" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "75ab4df9-c133-4579-b7d8-550817dd1a43" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageadremote\agentpackageadremote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "c93ea641-684b-4df2-9842-dc4e21d806d8" agent-api.atera.com/production 443 or8ixli90mf "eyjbzenvbw1hbmruexblijo1lcjjbnn0ywxsyxrpb25gawxlvxjsijoiahr0chm6ly9nzxquyw55zgvzay5jb20voenrc3u5a3yvqw55rgvza19ddxn0b21fq2xpzw50lm1zasisikzvcmnlsw5zdgfsbci6zmfsc2usilrhcmdldfzlcnnpb24ioiiifq==" 001q300000cdtpoiat
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198739C cpuid 34_2_00007FFDF198739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI380B.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI380B.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3C81.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3C81.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3C81.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI4B86.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI4B86.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6210.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6210.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6210.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI30EA.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI30EA.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI33D9.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI33D9.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF198CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,34_2_00007FFDF198CC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19885D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,34_2_00007FFDF19885D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Stealing of Sensitive Information

                                barindex
                                Queries disk data (e.g. SMART data)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 43.0.AgentPackageTicketing.exe.26325290000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.AgentPackageAgentInformation.exe.1f414d60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 50.0.AgentPackageRuntimeInstaller.exe.25870460000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 50.2.AgentPackageRuntimeInstaller.exe.25871560000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 57.2.AgentPackageMarketplace.exe.1ae12980000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.0.AgentPackageAgentInformation.exe.1f414440000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 67.0.AgentPackageInternalPoller.exe.226c2fe0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.AteraAgent.exe.24aaf9a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.0.AgentPackageMonitoring.exe.21cbf210000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 59.2.AgentPackageOsUpdates.exe.21b9faa0000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 38.0.AgentPackageUpgradeAgent.exe.1fb5af10000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 40.0.AgentPackageSTRemote.exe.1ffa80d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 34.2.AgentPackageMonitoring.exe.21cbfa60000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 69.0.AgentPackageADRemote.exe.2ac71f70000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 69.2.AgentPackageADRemote.exe.2ac722e0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 57.2.AgentPackageMarketplace.exe.1ae128b0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.26721052210.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 59.0.AgentPackageOsUpdates.exe.21b9f270000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000022.00000002.2022694781.0000021CD9426000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2012563069.0000021CBF5C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2012563069.0000021CBF4E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2410571379.0000021B9F442000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2504935343.00000226C3150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2852262023.000001FFA8570000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2579143836.000002AC72112000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2215301309.00000183A3C3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2232940589.00000183BCAF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000003.2609665782.0000017409C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2437398737.000001AE12340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.0000026600583000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787970855.0000024AB17B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000003.2664696664.000001740A4E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1907251597.000001D31B183000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2581135478.00000267203A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2556225504.000000D5768F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2620317509.00000226DC37A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A46E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3135358683.00000258708E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2620317509.00000226DC325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2558241228.0000021BB848D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.3033204462.000001FFC12FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2579143836.000002AC7215E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000000.2278377637.0000026325292000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1907793752.000001F414FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2956018574.000002666C145000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2860865553.000002666A1DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800222000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1903148234.000001D31AB58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1907793752.000001F414F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A45D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A4321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2456662957.000001AE12C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.00000266006ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2694458061.000001FB5B12C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2284989643.000002311F97E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.3033204462.000001FFC138F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2579143836.000002AC720F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787151853.0000024AAFA96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1732354769.0000000004551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2410571379.0000021B9F48E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A46F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2453080740.000001AE12982000.00000002.00000001.01000000.00000040.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2578008790.000002AC72090000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2953973348.000002666BF37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.3209141806.0000019573650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.3238541948.0000019574398000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2425883155.0000021B9F700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2579143836.000002AC720D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1903148234.000001D31AB8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1789259088.0000024ACA080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.3033204462.000001FFC1360000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1907251597.000001D31B193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.3083045471.000002673954D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000000.2376608896.0000021B9F272000.00000002.00000001.01000000.00000037.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800219000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1907047932.000001F414D62000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2546667690.00000226C3E2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2858760946.000002666A150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2578866826.0000026720300000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.3112170679.0000026739884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800203000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2858446424.000002666A120000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1907793752.000001F414FC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.00000258000A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2022580633.0000021CD9415000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2012563069.0000021CBF524000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2856089852.000001FFA8A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A47CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1921126821.000001702A6A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2022775286.0000021CD9640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2012293867.0000021CBF300000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2427006674.0000021B9FAA2000.00000002.00000001.01000000.0000003A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.00000258001F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216455295.00000183A3D20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1920228112.0000017029DE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2954955448.000002666C142000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000003.2360429457.000001D75D154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720EA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2013891908.0000021CC0161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2232940589.00000183BCBC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A458F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2244086338.00000183BD525000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3112057678.000002587064E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2013256721.0000021CBFA62000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2451336595.000001D75D310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2432305381.000001AE122B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2913714359.000002666B200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2871112293.000001FB74117000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787970855.0000024AB1732000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.000002672104A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2451208091.000001D75D130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1902970915.000001D31AAD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2433812655.0000021B9FC83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2012563069.0000021CBF570000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.0000026600292000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1903148234.000001D31AB6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000041.00000002.2437644613.000001C6F6C80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2620317509.00000226DC367000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026721644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1903291791.000001F414570000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000003.2664460201.0000017409AAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.3083045471.0000026739470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800648000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2397258880.0000016E37230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2670195074.000001740A4E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2433812655.0000021BA0139000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3142602040.0000025871562000.00000002.00000001.01000000.00000059.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2478492310.000002AC001C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2579143836.000002AC720DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1732354769.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2434838038.000001AE1232C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000000.2268161629.000001FFA80D2000.00000002.00000001.01000000.00000029.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2478492310.000002AC0014D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2215301309.00000183A3BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2410571379.0000021B9F400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2240343644.000001BC69623000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.3083045471.00000267394D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2669412412.0000017409AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787970855.0000024AB170C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1920228112.0000017029DE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000003.2664074629.000001740A4E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A4B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A44C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2451056267.000001D75D105000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2871112293.000001FB7410E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2448676124.000001AE128B2000.00000002.00000001.01000000.0000003D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2546667690.00000226C3C0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000000.2251962582.000001FB5AF12000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2739838252.000001FB5B2C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.00000266006B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2694458061.000001FB5B1AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2860865553.000002666A1A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2451056267.000001D75D100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2232940589.00000183BCB41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1921126821.000001702A621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2013891908.0000021CBFBC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1788756716.0000024AC9E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2694458061.000001FB5B168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1903291791.000001F414530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787151853.0000024AAFA50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000000.2456310800.000002AC71F72000.00000002.00000001.01000000.00000041.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2013155243.0000021CBF780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2394542463.0000019501631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1920228112.0000017029E69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000003.2359103938.000001D75D320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2694458061.000001FB5B120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000003.2359390403.000001D75D147000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2865497354.000001FB740D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2605588248.000002AC722E2000.00000002.00000001.01000000.0000004C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2022549775.0000021CD9217000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1921043712.000001702A0D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2611670270.000002AC73040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.0000026600669000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2433812655.0000021B9FC70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.00000266006C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.0000026600001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800637000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787970855.0000024AB17FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000000.2344551028.0000025870462000.00000002.00000001.01000000.00000035.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2826456503.000001FFA8230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2433812655.0000021BA014C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2292782110.00000231202B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2240446746.000001BC697D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2545948575.000001AE2B18A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787970855.0000024AB1681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2743952170.000001FB5B8F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1907793752.000001F41500F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787151853.0000024AAFB19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.00000266005E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2604569739.0000026720720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1906253379.000001F4147A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2558241228.0000021BB847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2410571379.0000021B9F40C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2694458061.000001FB5B210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2437398737.000001AE12366000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2397258880.0000016E3723C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2856089852.000001FFA8C98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2275321132.00000204BC3B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2456662957.000001AE129B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2284989643.000002311F940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2546667690.00000226C3D66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2451208091.000001D75D13B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2036362792.00007FFDF1B19000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026721606000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2215301309.00000183A3BE7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2743952170.000001FB5BA01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2860865553.000002666A223000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2546667690.00000226C3E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2545948575.000001AE2B1E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.00000266006A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000003.2665003366.0000017409AA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.0000026600437000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2856089852.000001FFA8AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2215301309.00000183A3CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2860865553.000002666A1BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787151853.0000024AAFA90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787151853.0000024AAFADE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1836122126.0000000004591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3112057678.000002587066D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.1751873947.0000024AAF9A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2394542463.0000019501B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2504935343.00000226C3110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3145204679.00000258715EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2826456503.000001FFA827D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2451336595.000001D75D330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000000.2450547233.00000226C2FE2000.00000002.00000001.01000000.0000003E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3112057678.0000025870640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2434838038.000001AE12320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720F85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A4621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A46E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2870497763.000001FB74105000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2451336595.000001D75D300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2581135478.00000267203DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2284989643.000002311F9C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2860865553.000002666A1DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2620317509.00000226DC2B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000003.2350547712.000001D382A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2019485559.0000021CD83E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2240249555.00000183BCFC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2581135478.00000267203FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A4A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2433812655.0000021B9FCF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1903148234.000001D31ABD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2012563069.0000021CBF52A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1903291791.000001F414579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2960856979.000002666C2A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787970855.0000024AB1709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2215269233.00000183A3AF0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.3262387464.0000021008D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1907793752.000001F414F97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2292530172.000002311FCE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.00000267210A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1789943776.00007FFD9B484000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1921126821.000001702A693000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2504935343.00000226C315C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.00000266004A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2437398737.000001AE1240F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2214008079.00000056B1EF5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2215301309.00000183A3BFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2694458061.000001FB5B162000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.3221945460.0000019573895000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2546667690.00000226C3C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2743952170.000001FB5B781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.3112170679.00000267398C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2456662957.000001AE12BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2742301343.000001FB5B3E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2856089852.000001FFA8B90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2826456503.000001FFA81F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787151853.0000024AAFAB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.000002580013D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2394542463.0000019500C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000041.00000002.2437644613.000001C6F6C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.00000258001FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2546667690.00000226C3BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2558241228.0000021BB8420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1903148234.000001D31AB50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2240249555.00000183BCFE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2215301309.00000183A3C1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1907251597.000001D31B111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1789279032.0000024ACA1BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2240249555.00000183BD0A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2957807940.000002666C159000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1920228112.0000017029E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2860865553.000002666A1A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2504935343.00000226C319C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2504935343.00000226C311C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.000002580066C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2456662957.000001AE12B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2433812655.0000021B9FE68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2433812655.0000021B9FC01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3112057678.00000258706D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.00000258005BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787686429.0000024AAFC30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1908439541.000001D333B30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2240343644.000001BC69600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787970855.0000024AB17AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000000.1881670916.000001F414442000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.0000026600288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000002.2433812655.0000021B9FDF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2546667690.00000226C3E2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1787151853.0000024AAFA56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2960856979.000002666C353000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000003.2360037771.000001D75D140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.3083045471.0000026739496000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000003.2664333995.0000017409A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1836122126.0000000004634000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2668968202.0000017409AAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2536504247.00000226C34B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000003.1937607927.000001BC697F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.3112057678.000002587068A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2437398737.000001AE12361000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2546667690.00000226C3E25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2856089852.000001FFA8FAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000043.00000002.2546667690.00000226C3E2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2240343644.000001BC6960B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2581135478.0000026720427000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2887151173.0000025800664000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1903148234.000001D31AB8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.3208117790.00007FFDEE599000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003F.00000002.2592969488.00000266006F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2216953221.00000183A43A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2437398737.000001AE123AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720DC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1903291791.000001F4145BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2611670270.000002AC7308F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2624729604.0000026720BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000045.00000002.2478492310.000002AC00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2292782110.0000023120231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2281418929.00000204BCE68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2281418929.00000204BD357000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2281418929.00000204BD454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2281418929.00000204BDD78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2281418929.00000204BE5BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2281418929.00000204BD576000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2394542463.0000019500231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2281418929.00000204BDF5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000024.00000002.2281418929.00000204BE274000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6452, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7196, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7280, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7520, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7696, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7908, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6600, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6532, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7476, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 1528, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 3912, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 8072, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 7356, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1028, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7224, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 7324, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 1312, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 7428, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6328, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 8076, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 404, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageRuntimeInstaller.exe PID: 2720, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1448, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 412, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1784, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMarketplace.exe PID: 2112, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageOsUpdates.exe PID: 4428, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Agent.Package.Watchdog.exe PID: 5912, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 2116, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Agent.Package.Watchdog.exe PID: 5516, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 3844, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageADRemote.exe PID: 1748, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA2C5F5D379769A58.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\5836b9.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI6210.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB393DFCC6F72C642.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF06EFE7E1CBF36F11.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF37013C52B0990D2E.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD2D3E72787CCF9CE.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD6CD53E6643D16C5.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD6D4C4C3DBF9F85F.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF2A9E24987C1ED43.TMP, type: DROPPED
                                Source: Yara matchFile source: dropped/ConDrv, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\5836c1.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB35298A01031E4F1.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI4DA9.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFE10225C8A87DB3B6.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDC01BFBC08A00211.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFBE3B8FD725155D54.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF2936DF211C6B5571.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF996F65DABC71DB09.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI897D.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFEBA617B4563588C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF9499529FD83F34D5.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6EF43F7DE34E2402.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA33DC725B6A6D433.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF63C7C9D4F8048B9E.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC379EDB94CDC4657.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFECB08EC1F778426B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI4B86.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFCFC99B1B1B88CC51.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF7C34FE0853000228.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1CAAE035A3979FA8.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC8BEA5F80B2C2FA1.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIA381.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC685BE6DABE82B53.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6703CD2B5D6F0133.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF8A4C2E9B3729CA79.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF35E3D090FA5CFDB6.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF55BE75C8FB960A2A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI380B.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF03343DD798B212B3.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF43E931AEB68AA588.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240805161932_000_dotnet_runtime_6.0.32_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC30C51A7ABE3BDBD.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI30EA.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240805161932_001_dotnet_hostfxr_6.0.32_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\5836b4.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI3C81.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF08FEF053D1F39F39.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF14BC8CA5237641D8.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF3B0E0EE6299AB0E4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240805161932_002_dotnet_host_6.0.32_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 34_2_00007FFDF19CB9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,34_2_00007FFDF19CB9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		441
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		22
                                Windows Service                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts11
                                Command and Scripting Interpreter                                		22
                                Windows Service                                		111
                                Process Injection                                		4
                                Obfuscated Files or Information                                		Security Account Manager2
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Software Packing                                		NTDS165
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                Timestomp                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable Media1
                                PowerShell                                		RC ScriptsRC Scripts1
                                DLL Side-Loading                                		Cached Domain Credentials571
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                File Deletion                                		DCSync1
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job123
                                Masquerading                                		Proc Filesystem161
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                Modify Registry                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron161
                                Virtualization/Sandbox Evasion                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd111
                                Process Injection                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                Rundll32                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1488350 Sample: setup_it_security (1).msi Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 154 Malicious sample detected (through community Yara rule) 2->154 156 Multi AV Scanner detection for dropped file 2->156 158 Multi AV Scanner detection for submitted file 2->158 160 10 other signatures 2->160 8 AteraAgent.exe 2->8         started        13 msiexec.exe 501 481 2->13         started        15 AteraAgent.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 144 18.239.36.114 AMAZON-02US United States 8->144 96 C:\...\System.Management.dll, PE32 8->96 dropped 98 C:\...98ewtonsoft.Json.dll, PE32 8->98 dropped 100 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->100 dropped 108 326 other malicious files 8->108 dropped 170 Installs Task Scheduler Managed Wrapper 8->170 172 Very long command line found 8->172 19 AgentPackageUpgradeAgent.exe 8->19         started        36 11 other processes 8->36 102 C:\Windows\Installer\MSIFE95.tmp, PE32 13->102 dropped 104 C:\Windows\Installer\MSIFD6A.tmp, PE32 13->104 dropped 106 C:\Windows\Installer\MSIFC31.tmp, PE32 13->106 dropped 110 314 other files (262 malicious) 13->110 dropped 23 msiexec.exe 13->23         started        25 AteraAgent.exe 13->25         started        28 msiexec.exe 13->28         started        30 msiexec.exe 13->30         started        146 192.229.211.108 EDGECASTUS United States 15->146 148 18.239.36.2 AMAZON-02US United States 15->148 150 35.157.63.227 AMAZON-02US United States 15->150 112 34 other malicious files 15->112 dropped 174 Creates files in the system32 config directory 15->174 176 Reads the Security eventlog 15->176 178 Reads the System eventlog 15->178 32 AgentPackageAgentInformation.exe 15->32         started        38 5 other processes 15->38 34 conhost.exe 17->34         started        file5 signatures6 process7 dnsIp8 132 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->132 78 C:\...\System.ValueTuple.dll, PE32 19->78 dropped 80 C:\Program Files (x86)\...\Pubnub.dll, PE32 19->80 dropped 82 C:\...82ewtonsoft.Json.dll, PE32 19->82 dropped 92 4 other malicious files 19->92 dropped 49 2 other processes 19->49 40 rundll32.exe 15 9 23->40         started        51 3 other processes 23->51 134 192.229.221.95 EDGECASTUS United States 25->134 136 2.19.126.137 AKAMAI-ASUS European Union 25->136 94 2 other malicious files 25->94 dropped 162 Creates files in the system32 config directory 25->162 164 Reads the Security eventlog 25->164 166 Reads the System eventlog 25->166 44 rundll32.exe 28->44         started        47 rundll32.exe 28->47         started        53 2 other processes 30->53 55 4 other processes 32->55 138 13.107.246.42 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->138 140 13.69.106.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->140 142 3 other IPs or domains 36->142 84 C:\Windows\Temp\SplashtopStreamer.exe, PE32 36->84 dropped 86 C:\...\TicketingTray.exe (copy), PE32 36->86 dropped 88 C:\Program Files (x86)\...\6-0-32.exe, PE32 36->88 dropped 90 C:\Program Files (x86)\...\log.txt, ASCII 36->90 dropped 168 Queries disk data (e.g. SMART data) 36->168 57 12 other processes 36->57 59 5 other processes 38->59 file9 signatures10 process11 dnsIp12 152 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 40->152 114 C:\Windows\Installer\...114ewtonsoft.Json.dll, PE32 40->114 dropped 116 C:\...\AlphaControlAgentInstallation.dll, PE32 40->116 dropped 124 2 other files (none is malicious) 40->124 dropped 126 4 other files (2 malicious) 44->126 dropped 180 System process connects to network (likely due to code injection or exploit) 44->180 128 4 other files (2 malicious) 47->128 dropped 118 C:\Windows\Installer\...118ewtonsoft.Json.dll, PE32 51->118 dropped 120 C:\...\AlphaControlAgentInstallation.dll, PE32 51->120 dropped 122 C:\Windows\Installer\...122ewtonsoft.Json.dll, PE32 51->122 dropped 130 9 other files (3 malicious) 51->130 dropped 61 conhost.exe 53->61         started        64 net1.exe 53->64         started        66 conhost.exe 53->66         started        182 Found suspicious powershell code related to unpacking or dynamic code loading 55->182 184 Loading BitLocker PowerShell Module 55->184 68 conhost.exe 55->68         started        70 cscript.exe 55->70         started        72 conhost.exe 55->72         started        76 2 other processes 55->76 74 conhost.exe 57->74         started        file13 signatures14 process15 signatures16 186 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 61->186

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                setup_it_security (1).msi21%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                5836ba.rbf (copy)16%ReversingLabsWin32.Trojan.Atera
                                5836bc.rbf (copy)0%ReversingLabs
                                5836bd.rbf (copy)0%ReversingLabs
                                5836be.rbf (copy)0%ReversingLabs
                                5836bf.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe16%ReversingLabsWin32.Trojan.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://schemas.datacontract.org/2004/07/SystemVSystem.Private.DataContractSerialization.dll.1.drfalse
                                  http://www.certplus.com/CRL/class3.crl0AteraAgent.exe, 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmpfalse
                                    https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      http://schemas.datacontract.orgAteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmpfalse
                                        http://crl.microsoftrundll32.exe, 00000010.00000002.1836950435.0000000006E10000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.azure.comAgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800648000.00000004.00000800.00020000.00000000.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.000002580013D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://nlog-project.org/AgentPackageMonitoring.exe, 00000022.00000002.2021781383.0000021CD8728000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpfalse
                                              https://agent-api.atera.com/Production/Agent/track-eventAgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8FAF000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmpfalse
                                                https://aka.ms/dotnet/app-launch-failedAteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397258880.0000016E3723C000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2437644613.000001C6F6C88000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmpfalse
                                                  http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 00000012.00000000.1881670916.000001F414442000.00000002.00000001.01000000.00000016.sdmpfalse
                                                    https://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.azure.com/api/logs?api-version=2016-04-0AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800679000.00000004.00000800.00020000.00000000.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.000002580013D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?kFwHeAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721644000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackaPXYAteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIPAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            https://agent-api.atera.com/Production/v1/Provision/syncAgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12C50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              https://agent-api.atera.com/Production/v1/Provision/scripts?operatingSystem=WindowsAgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12BA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgt0D0AteraAgent.exe, 0000000D.00000002.2216953221.00000183A458F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000028.00000000.2268161629.000001FFA80D2000.00000002.00000001.01000000.00000029.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      http://wixtoolset.orgrundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmp, setup_it_security (1).msifalse
                                                                        HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIPAteraAgent.exe, 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000004.00000002.1732354769.0000000004636000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://nuget.org/nuget.exepowershell.exe, 00000024.00000002.2422725544.00000204CCCAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BE5BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.3140600099.000001951007D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.3140600099.00000195101B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformatiAteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      http://acontrol.atera.com/AteraAgent.exe, 0000000C.00000000.1751873947.0000024AAF9A2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4321000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        https://agent-api.atera.com/Production/Agent/AgentStarting)AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/21.7/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000004.00000002.1732354769.0000000004551000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1732354769.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4321000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004591000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004634000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907793752.000001F41500F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1907251597.000001D31B193000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720BE1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BCC41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000026.00000002.2743952170.000001FB5B781000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8AD8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmp, AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.00000258000A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2394542463.0000019500001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMarketplace.exe, 00000039.00000002.2456662957.000001AE12BA9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000043.00000002.2546667690.00000226C3C10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    http://my.splashtop.comAgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000036.00000002.2394542463.0000019500231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000036.00000002.2394542463.0000019500231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://contoso.com/Iconpowershell.exe, 00000036.00000002.3140600099.00000195101B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            http://schemas.datacontract.org/2004/07/System.Runtime.SerializationSystem.Private.DataContractSerialization.dll.1.drfalse
                                                                                                              https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgAteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                https://get.anydesk.com/8CQsu9kv/AnyDesk_Custom_Client.msi(AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  https://download.splashtop.comAgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8C7D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    https://aka.ms/dotnet/app-launch-failed&gui=trueShowingAteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmpfalse
                                                                                                                      http://www.globaltrust.info0AteraAgent.exe, 0000000D.00000002.2244086338.00000183BD50D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg25sbAteraAgent.exe, 0000000D.00000002.2216953221.00000183A458F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            https://agent-api.atera.comAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004591000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1836122126.0000000004634000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907793752.000001F41500F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1907251597.000001D31B193000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721004000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.00000267210B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8AD8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8FAF000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000022.00000002.2021781383.0000021CD8728000.00000002.00000001.01000000.00000022.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000036.00000002.2394542463.0000019500231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/21.7/AgentPackageSTRemote.zip?kFwHeUtqpAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    http://www.w3.ohAteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A43A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721004000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAAteraAgent.exe, 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000024.00000002.2281418929.00000204BCE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2281418929.00000204BD576000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            http://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.azure.comAgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800705000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              https://agent-api.atera.com/Production/AAteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                                  HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/23.1/AGENTPACKAGEPROGRAMMANAGEAteraAgent.exe, 0000001A.00000002.2624729604.0000026720DC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000022.00000002.2021058994.0000021CD8652000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                                      https://ps.atera.com/aAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000022.00000002.2020595602.0000021CD85E2000.00000002.00000001.01000000.00000021.sdmpfalse
                                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.zAteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.azAgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800648000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://my.splashtop.comAgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://get.anydesk.com/8CQsu9kv/AnyDesk_Custom_Client.msiAgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0038D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        http://www.firmaprofesional.com/cps0AteraAgent.exe, 0000000D.00000002.2232940589.00000183BCB41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://system.data.sqlite.org/XAgentPackageMonitoring.exe, 00000022.00000002.2020988692.0000021CD8644000.00000002.00000001.01000000.00000021.sdmpfalse
                                                                                                                                                                            http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000022.00000002.2013672406.0000021CBFB62000.00000002.00000001.01000000.0000001E.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003F.00000002.2592969488.00000266005E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://aka.ms/dotnet-core-applaunch?AteraAgent.exe, 0000001A.00000002.3112170679.000002673992F000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000000.2394409384.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 0000003D.00000002.2397704614.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000000.2435132718.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmp, Agent.Package.Watchdog.exe, 00000041.00000002.2438072255.00007FF7C3BFA000.00000002.00000001.01000000.00000038.sdmpfalse
                                                                                                                                                                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIPAteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://github.com/dotnet/runtimeAteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Security.Cryptography.Cng.dll.1.dr, System.Reflection.Emit.dll.1.dr, System.Xml.XDocument.dll.1.dr, System.Private.DataContractSerialization.dll.1.drfalse
                                                                                                                                                                                    https://bf0ce49d-77cf-4721-bf70-57686383c9ab.ods.opinsights.azure.com/api/logs?api-version=2AgentPackageRuntimeInstaller.exe, 00000032.00000002.2887151173.0000025800679000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exeAgentPackageSTRemote.exe, 00000028.00000000.2268161629.000001FFA80D2000.00000002.00000001.01000000.00000029.sdmp, AgentPackageSTRemote.exe, 00000028.00000002.2856089852.000001FFA8B90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://agent-api.PAteraAgent.exe, 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              http://www.w3.oAteraAgent.exe, 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.1/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A475B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformationAteraAgent.exe, 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://agent-api.atera.com/Production/Alerts/AddAlertsFromAgentAgentPackageMonitoring.exe, 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000003.00000003.1688487310.00000000048DE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1699758147.00000000041AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1734699805.0000000004DD8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1792676963.0000000004263000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1907392152.000001F414E62000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000022.00000002.2021837093.0000021CD8732000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2300115854.0000023138A10000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000030.00000003.2322673285.0000000003F4F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2329938218.0000000004067000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A439C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?kAteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://agent-api.atera.com/Production/Agent/thresholds/219cfac1-8d31-4145-a06a-203fddd623c4AgentPackageMonitoring.exe, 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000024.00000002.2281418929.00000204BE274000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://ps.pndsnAteraAgent.exe, 0000000D.00000002.2216953221.00000183A46F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgtAteraAgent.exe, 0000000D.00000002.2216953221.00000183A458F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      http://www.datev.de/zertifikat-policy-std0AteraAgent.exe, 0000000D.00000002.2232940589.00000183BCB41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://www.sqlite.org/copyright.html2AgentPackageMonitoring.exe, 00000022.00000002.2036512634.00007FFDF1B24000.00000002.00000001.01000000.0000001B.sdmpfalse
                                                                                                                                                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip?kFwHAteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0AteraAgent.exe, 0000000D.00000002.2240249555.00000183BCFD5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              http://crl.miAgentPackageRuntimeInstaller.exe, 00000032.00000002.3176554460.0000025871BB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9b8d3516-71ee-4f57-9a4a-7e2213f9d6fbAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIPAteraAgent.exe, 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/21.7/AgentPackageSTRemote.ziphAteraAgent.exe, 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgeAteraAgent.exe, 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        40.119.152.241
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                        13.107.246.42
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        68.232.34.200
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        2.19.126.137
                                                                                                                                                                                                                                        		unknownEuropean Union
                                                                                                                                                                                                                                        		16625AKAMAI-ASUSfalse
                                                                                                                                                                                                                                        52.223.39.232
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8987AMAZONEXPANSIONGBfalse
                                                                                                                                                                                                                                        35.157.63.227
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        192.229.211.108
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        192.229.221.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        18.239.36.2
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        18.239.69.48
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        20.60.197.1
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        18.239.36.114
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        13.69.106.94
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                                        Analysis ID:1488350
                                                                                                                                                                                                                                        Start date and time:2024-08-05 22:17:08 +02:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 14m 12s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:73
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                                        Sample name:setup_it_security (1).msi
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.rans.troj.spyw.evad.winMSI@128/925@0/13
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 9.1%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 55%
                                                                                                                                                                                                                                        • Number of executed functions: 444
                                                                                                                                                                                                                                        • Number of non-executed functions: 5
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 6532 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 6600 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7476 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 1528 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7520 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7696 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 6452 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7196 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7280 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7908 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtWriteFile calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                        • VT rate limit hit for: setup_it_security (1).msi

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        16:18:05API Interceptor3x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                        16:18:09API Interceptor1803x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                        16:18:22API Interceptor30x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                        16:18:31API Interceptor43x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                        16:18:57API Interceptor30x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                        16:19:01API Interceptor380x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                        16:19:05API Interceptor49175x Sleep call for process: AgentPackageTicketing.exe modified
                                                                                                                                                                                                                                        16:19:09API Interceptor23x Sleep call for process: AgentPackageMarketplace.exe modified
                                                                                                                                                                                                                                        16:19:09API Interceptor26x Sleep call for process: AgentPackageRuntimeInstaller.exe modified
                                                                                                                                                                                                                                        16:19:21API Interceptor1x Sleep call for process: AgentPackageInternalPoller.exe modified
                                                                                                                                                                                                                                        16:19:39API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                                                                                                                                                                                                                        21:19:00Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                                                                                                                                                                                                                        21:19:38AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {ff783edd-4e4e-491d-9d9c-72f3aa70cedf} "C:\ProgramData\Package Cache\{ff783edd-4e4e-491d-9d9c-72f3aa70cedf}\dotnet-runtime-6.0.32-win-x64.exe" /burn.runonce
                                                                                                                                                                                                                                        21:20:13Task SchedulerRun new task: AteraAgentServiceWatchdog path: C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe s>eyJBZ2VudElkIjoiMjE5Y2ZhYzEtOGQzMS00MTQ1LWEwNmEtMjAzZmRkZDYyM2M0IiwiQ29tbWFuZElkIjoiNGViOGIzYWUtM2ExZS00YzdiLWE3ZjMtODg0ZGIyNzIxODk4IiwiQWNjb3VudElkIjoiMDAxUTMwMDAwMENEdHBPSUFUIiwiQWdlbnRBcGlIb3N0IjoiYWdlbnQtYXBpLmF0ZXJhLmNvbS9Qcm9kdWN0aW9uIiwiQXJndW1lbnRzIjoie1x1MDAyMkNvbW1hbmROYW1lXHUwMDIyOlx1MDAyMmhlYWx0aGNoZWNrXHUwMDIyfSIsIkFnZW50RGlyZWN0b3J5IjoiIn0=

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        5836ba.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        5836bb.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        5836bc.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        5836bd.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        5836be.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        5836bf.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Config.Msi\5836b4.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8835
                                                                                                                                                                                                                                        Entropy (8bit):5.662060767011452
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Kj9xz1ccbTOOeMeUI61t7r6IHft7r6kAVv70HVotBVeZEmzmYpLAV77jXpY92r:KZD2KdpdtiB2i3
                                                                                                                                                                                                                                        MD5:D1D16744863CF4F43810086D3F5B57BB
                                                                                                                                                                                                                                        SHA1:90FDEACCEDF82D1D6439CCE8BF717E7A22E5AFE6
                                                                                                                                                                                                                                        SHA-256:59E73F15AE016434E58B9C8C03B6298661C03CDBD71D9E6685B88F65E7C2F093
                                                                                                                                                                                                                                        SHA-512:6900611BE642F433E4ABE55716E80C132F0FA293989D5845AF147FCFA320F9C361FF4A3003647DD43E020BDE560E8416326F0D7B6202C654E32C3A7E263B38B2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\5836b4.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@D..Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup_it_security (1).msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{3

                                                                                                                                                                                                                                        C:\Config.Msi\5836b9.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9501
                                                                                                                                                                                                                                        Entropy (8bit):5.573287961088995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Ij9G/CcRUbLCsgREbLCMDp17qEVl0Q2LALtyD0qagukGGhaKfmbHt1famkD8BrEa:IZkXRqgR6d+KK7mo8BT
                                                                                                                                                                                                                                        MD5:94BB0656C5B7EE485AE1BAA3FA2C95F3
                                                                                                                                                                                                                                        SHA1:29E2431FC71A2E2AFDAE8D99BF8CFD246FF91A38
                                                                                                                                                                                                                                        SHA-256:ABA2C2F5E4E797B7667164D6CE7E5FD2C9CF480B6C42356EDA3A48C673F0C42E
                                                                                                                                                                                                                                        SHA-512:2D5EECB030D333A09FBF41637B9DA7919E83C5BDA7522D0EB79026F38FD36E205C898B77D8D8A681A28A2067367E33E4D693B17CEEA7CB118F4746A27499CC96
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\5836b9.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@n..Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup_it_security (1).msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\5836b5.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...DisplayVersion..1.8.7.2%...HelpL

                                                                                                                                                                                                                                        C:\Config.Msi\5836c1.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8767
                                                                                                                                                                                                                                        Entropy (8bit):5.654825549223062
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:+My7wo+fncHMe21A6ITA6k7s5VNpkxYpLso:vPo+fncHiAVAtSNpkcP
                                                                                                                                                                                                                                        MD5:170BB985A162F814ACBB4C43C3C15B62
                                                                                                                                                                                                                                        SHA1:D69A3451924B4FE32EAD381E39AC69991D1A5DBE
                                                                                                                                                                                                                                        SHA-256:7C7E930849325971539176E067EB3EA8818C88347CD2B1298EF8657DC5EDA8F5
                                                                                                                                                                                                                                        SHA-512:F49236A7947B0BAFC6BFB3B58A35E1E2661312D68C36003BE2A778AC88AA44829D73AB2A2BABE0A2B4DA096ED84309664203F13CAD290D0530DED4E44787B799
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\5836c1.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@r..Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                                                                                                                                        C:\Config.Msi\5836c5.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57458
                                                                                                                                                                                                                                        Entropy (8bit):5.860850253756937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Cg8kxUr9O4QafETLKEpMzsMxlNPF73hXqiRuT2oKUG5aE/We6pEFfEojISLQTpf1:gQSm
                                                                                                                                                                                                                                        MD5:98D3FC6B349DA19A16CD599F8EC87710
                                                                                                                                                                                                                                        SHA1:923F670DDAD182B855E94CA153C17691FD1D13F6
                                                                                                                                                                                                                                        SHA-256:04D1B0B16ADC00DB4A3277FD87D1660379D31C09B632AB6BD5F2A4FA93CF2991
                                                                                                                                                                                                                                        SHA-512:2DBDF1B33BAB095264560BBBA4799F2E9D488CC45C1566287EC0A566ED05B95EF63F4C1171E84CF8017B059A36FF2683585019C22F435B0ACE80F6BE28050104
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@u..Y.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3B053811-15BE-513E-9DEC-B2B5C4918267}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{12C6BE75-4A6B-5D0E-8906-981484BEDEFB}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{5B8B7A30-DD32-5F3F-BF38-4CDA80FF7B58}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{2D57BD37-A665-5E90-A9D0-150D1AE6247E}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{6F6135D1-D37B-59EE-915A-2CCBA1F18027}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{07C0B213-96A0-54A8-8375-7897382BD558}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216A

                                                                                                                                                                                                                                        C:\Config.Msi\5836c9.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9062
                                                                                                                                                                                                                                        Entropy (8bit):5.6003968586283746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:AmbnPKC5jc2Keq3g35rUOeD2+PZCsTlYUOeD2+PZC6jcS3Y30YlTlWYhIKE5357m:1jKiY/e7YL8IFL8t/EjANmWph
                                                                                                                                                                                                                                        MD5:E779C77E90570C0FC0FF104A9B4C1355
                                                                                                                                                                                                                                        SHA1:54038E2747C515E913EFEB46F62E93CF5C49BFB7
                                                                                                                                                                                                                                        SHA-256:73FCC38161A2F6E4F7E0F8BA3A4416F0224916E879DDC52F6DB0ED04038F462F
                                                                                                                                                                                                                                        SHA-512:59CE4D7DFF9F9EBA2755FA3483D05FBE7B175021EFFBABBA0E66CB7C71FAFCA86235F86C8A0CF5D2CE7CB0CD33BD1741BF203BEFBC99D21DE415C3AEBDB8B4AC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@|..Y.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E116E585-E2CE-5BAC-A645-7047860785B2}&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}.@......&.{0AC899A6-3CC6-559F-9577-67925851F466}&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}.@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..(.C:\Program Files\dotnet\host\fxr\6.0.32\....3.C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dll....WriteRegistryValues..Writing system registry values..Key:

                                                                                                                                                                                                                                        C:\Config.Msi\5836cc.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3816
                                                                                                                                                                                                                                        Entropy (8bit):5.060890930272507
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:AmM5sne4etTlxm7epQfTlxmpQ6WSiiRIy:1Syenk47
                                                                                                                                                                                                                                        MD5:98E6D3B0176DC1FCB134807D5A4E29EC
                                                                                                                                                                                                                                        SHA1:B294B66DC3BDE8CE7EB0C55BECE1998F44833737
                                                                                                                                                                                                                                        SHA-256:5B58180AA2B60390C6EF32269CC27165EC75FC336278E089C288FAA8CBEC3F14
                                                                                                                                                                                                                                        SHA-512:A489D0CBFECA01DA0F2D22F4F6994464A1D0E08C5CCEBE6B28BBA71A54D9D03DFF29F34170337EA59BCB430E937383A0A6E56FAF40C159DA04B58BE41450714A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@|..Y.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RegisterProduct..Registering product..[1]$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2A0FCDF3F1C77C147994D019CE12A6DE\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....$..@....3.Software\Microsoft\Windows\CurrentVersion\Uninstall.............................................. ...!................... ...!.......?........... ... ................... ... .......?.......................................?.............................

                                                                                                                                                                                                                                        C:\Config.Msi\5836cf.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10280
                                                                                                                                                                                                                                        Entropy (8bit):5.61544915276055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:iQUZRj2S8ln+seh+MYp8Ilp8di8k/zEYW9NYX1udXkZWpImoCKSBy5Y:iBZRj2S6rp9pJC
                                                                                                                                                                                                                                        MD5:7DB529E5FD56C0C05D2E45ECE0275EAA
                                                                                                                                                                                                                                        SHA1:21B6BB9DB6203CD7879390F1FB3F228CDAEA4152
                                                                                                                                                                                                                                        SHA-256:E087AA6095B5C4061ACB5DFBED5AC5274FF61C7D7DF584E2459715142FA8846B
                                                                                                                                                                                                                                        SHA-512:199AD2F3F0BED1AE93E77344558CFA45C942DB53111DC53D62F1AB106D47287965E1FFD9C5625B2668581BCFE8BE356C10820FADE19F11AA5CFB1CFCAE23C977
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@}..Y.@.....@.....@.....@.....@.....@......&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}".Microsoft .NET Host - 6.0.32 (x64)..dotnet-host-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{6CC46603-A43D-40BF-9045-9949A2B95632}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3AB1371A-161F-5BD9-98C8-F9BF7A103CA5}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{CE35924C-AD31-51DF-B84A-A8052ED08400}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@......&.{A61CBE5B-1282-4F29-90AD-63597AA2372E}&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}.@....

                                                                                                                                                                                                                                        C:\Config.Msi\5836d2.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3870
                                                                                                                                                                                                                                        Entropy (8bit):5.088608413392029
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:LmbnJe430tTlW730s/lTlWs/gW3Ai3IpVx8y:i1eNE6T
                                                                                                                                                                                                                                        MD5:D648E08ECCFF2918EA86CD49137598A0
                                                                                                                                                                                                                                        SHA1:EBF82E1BE40EF9531E29526622BEB7FF3B3B4A5F
                                                                                                                                                                                                                                        SHA-256:FFB5710030B2CED9D5F2CD299DDC006F2EBC8233A7CB2BF2B4D791D78536A99C
                                                                                                                                                                                                                                        SHA-512:BE447EF486CABCE256A257D1B036A704336E00E70B36F15DF1A1F9AB815D0675F7E66B6E9CB1B71377C115DC646D4F79F3E13449E94B24CC329DBAF54D88A91C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@}..Y.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RegisterProduct..Registering product..[1]$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\356BC7661E07B2E4C9E8A6206AFC889B\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....$..@....3.Software\Microsoft\Windows\CurrentVersion\Uninstall.............................................. ...!................... ...!.......?........... ... ................... ... .......?.......................................?...........

                                                                                                                                                                                                                                        C:\Config.Msi\5836d4.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3795
                                                                                                                                                                                                                                        Entropy (8bit):5.030365703875853
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:LmTpbJe4+/tTlO7+/4zlTlO4zgW+/i+LUgUdy:iLeXl52615IpY
                                                                                                                                                                                                                                        MD5:C54DB48843EC982A698C10D5DA7F6CC3
                                                                                                                                                                                                                                        SHA1:E2308B9C7EE4EA63576565CC9110BFDD9E0323D4
                                                                                                                                                                                                                                        SHA-256:E91D3F783429F7011D09979C922DD2A341CB710B174243EEC95DF90A1F12F51B
                                                                                                                                                                                                                                        SHA-512:AF39E58B2A430DC694DCB9500B9099A76065F90961A14426F5432A5BD3555EC455DDE885C62C02E89104FDBD900AC1CE668531E87818A49BCD73FDE2899E1B2A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@}..Y.@.....@.....@.....@.....@.....@......&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}".Microsoft .NET Host - 6.0.32 (x64)..dotnet-host-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{6CC46603-A43D-40BF-9045-9949A2B95632}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RegisterProduct..Registering product..[1]$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1838F90A3C884C44D9BACA444F4FBDB4\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....$..@....3.Software\Microsoft\Windows\CurrentVersion\Uninstall.............................................. ...!................... ...!.......?........... ... ................... ... .......?.......................................?......................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 16%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1345342
                                                                                                                                                                                                                                        Entropy (8bit):7.999087415296336
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:P6qarBXIu143emJM2e03hHsPi7+QfGIjn5xgFxNybKJvTDSJSH:cVI81mOZ8tsu+MjnrAsimY
                                                                                                                                                                                                                                        MD5:F2E653E517216BAE6EE1866E56C93541
                                                                                                                                                                                                                                        SHA1:C9CFE52AEA1FC5026437162E5CD6EC5AFDDCDB23
                                                                                                                                                                                                                                        SHA-256:1A76544543CA4CCDD3981F517E93E316EF3EEFA677ABBDDB19AC94B9AD8EC613
                                                                                                                                                                                                                                        SHA-512:7AC34473A4B50991344DE76186B249DA8753FE01C4F1C344CF17136D157A8847A34047D1E492BB74F9B877DDDE155D6E503067FEF2DCCED6F7795B5EDEB97DDD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK.........:rX................Agent.Package.Availability/PK.........:rXO......L...?...Agent.Package.Availability/Agent.Package.Availability.deps.jsons........&|+.[a....k...F.?.y.ef........N..|..D.....I..;4.p...Q....yQ...v.H..2..BK.<:c...%.u....P6..... .".Lhh.~.. ..,.$OGI.37.P...7.o..4.t?......\.h...i.L..........._.k-JAw..{..<.;1V..bm.....|.q...2...g...Oi..a..Z....Q..&G.........dM......H.^......Gx\n1k....D.^..DA..5.Ou.e@.h.|.g...).}.._J.g.S...z...F..F.'..R..7}!]C.l.n6.O>-...w0.c...`7&P....VY.N.....%.2.....w.,".t4..Yi..<".M..dG.'.5.f/.f.c.uG.xDlo.%..A.....bD3b.dix..O...re.J.}....FO..jE..T.....H.......t.W...N.`..@.K. 7..-4.#..!...%;t*...aM.,2.a...(.Z..E#...g.op.3.p-*"......mh..-h..k|#. M..S)}.).V.Ze.z.8.ku..)u4...Ch.2.D...x.6...~|........|I.8|...S..h.w.N.9..f.i0.R-....Y...q..;3.. J+..N>.....7>....e.R.6'...Q.Mf.?....+w.....Yu..r...L..].H.....N...H...~=Fj....5.....B.D.B..K....<.q.<c...D..j..U.....<..M.....M.Ns..]5.]......W...?J.Z..R.N..."L5.%|hU..n.}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.deps.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32588
                                                                                                                                                                                                                                        Entropy (8bit):4.9960910032419115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:YMiXbLuNFLgxnzeynrL390PbFM1Orsc+eQjBy6qY2871Yu9IM8yzI:YHX+CRN0PbG1Orsc7QqYR71YyIM8II
                                                                                                                                                                                                                                        MD5:30FD970122DC4F600AB043C1F2EAA9DF
                                                                                                                                                                                                                                        SHA1:73ECB0343F13193E1647169994E856B85B3E8A80
                                                                                                                                                                                                                                        SHA-256:B9AEC2BF04C19AEDE9F089947337F4A72F4D9D9107499D06489220B78965945A
                                                                                                                                                                                                                                        SHA-512:070C5B9976289C7EF84D01BCEC81E87B538F0251048FDEAD99EB8CBFC4CCE5AE9F3072D0F5AD79B1BB49CF3C78858581627636035772F875B132044FCBAEA0E3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Availability/0.16": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.0.0",.. "MQTTnet": "4.1.2.350",.. "MQTTnet.Extensions.ManagedClient": "4.1.2.350".. },.. "runtime": {.. "Agent.Package.Availability.dll": {}.. }.. },.. "Microsoft.Extensions.Configuration/6.0.0": {.. "dependencies": {.. "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",.. "Microsoft.Extensions.Primitives": "6.0.0".. },.. "runtime": {.. "lib/netstandard2.0/Microsoft.Extensions.Configuration.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.21.52210".. }.. }.. },.. "Microsoft.Extensions.Configuration.Abstractions/6.0.0": {..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64080
                                                                                                                                                                                                                                        Entropy (8bit):6.320286768676932
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:9pU+qNEN8hGUdlhkjqMCgoGIxBNPlaWxk4TKZ08gDT7iC6gW3GIXtHEje4bEpYin:DU+CkuMChNPlakNcgD8ge1+JU7Hxz1
                                                                                                                                                                                                                                        MD5:E863A6AB8AA66CDFDB72085FF29C8945
                                                                                                                                                                                                                                        SHA1:3018DAFFFA623BC8404E1D0AE990B3B58E502455
                                                                                                                                                                                                                                        SHA-256:8168DF0CFF719BB10F2A03EC220788C931DA3E5EFA02030011AFF5B48F888D36
                                                                                                                                                                                                                                        SHA-512:62C0623C9E2BD66A3C1469BE3D2B7D36CB52364181D38400A6F27EE0600DA98DE921F49EBCDC2EB6A49D2CC0C2FFE4287D7587020162DEBDD54209CC89108350
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....z..........."...0.................. ........@.. .......................@............`.....................................O.......................P(... ......d................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......8^...z..........L.................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..7.........(....}A......}B......}@.....|A.....(...+..|A...(....*..(....*..0...........(....o.......(....*..(......}......o....r...p(....}....*....0..7.........(....}W......}X......}V.....|W.....(...+..|W...(....*..0..?.........(....}\......}]......}^......}[.....|\.....(...+..|\...( ...*..0..7.........(!...}b......}c......}a.....|b.....(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):160336
                                                                                                                                                                                                                                        Entropy (8bit):6.2128348726246605
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:6czkitvo4BpYN/6mBPry8TXROLdW5m4mUR39OOGO0kLxD:6A4NCmBPry/N2jOO7r
                                                                                                                                                                                                                                        MD5:EEB8806784553B29F5E8CE3F3566C452
                                                                                                                                                                                                                                        SHA1:588702EDD2CAE4FB11558E967BA88F1D4AA0B92E
                                                                                                                                                                                                                                        SHA-256:AA2322E40481D38DF9976C34A564932262EE08E72FD76465ADBCC04545BEEB8F
                                                                                                                                                                                                                                        SHA-512:88378E2190D813E788121DB814AC9B49FF12E489780CF46CDA770794D3EDF64075E1C73F2C1EFD29265EE71FDCB13A06A0DE0C29747773636FD3DE28ADA6E2D1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.............../......./......./.....a.....S../........"...I../....I../....Rich............................PE..d......e..........".................`<.........@....................................3.....`.................................................t$...............`..@....J..P(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.reloc...............>..............@..B.rsrc................B..............@..@........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):14
                                                                                                                                                                                                                                        Entropy (8bit):3.8073549220576055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhVLD:WDLD
                                                                                                                                                                                                                                        MD5:9A7D20AAA012D185DB528C72378B0ACB
                                                                                                                                                                                                                                        SHA1:CD17C5DDB04E5CBAEBA56BB883B2BD0BF8C529DE
                                                                                                                                                                                                                                        SHA-256:CBA7D06C662A6601164CBC5A0F4086E247DC1ACA7CCF2F72F4443C88DDB29095
                                                                                                                                                                                                                                        SHA-512:961707F9926401EED9FDF892484527D253514F336B2AEF0A450184EE125DB940823E933739ABED422BC97B37E4094EFB3C9C355154F86984EB36508ED28BEE90
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=0.16..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.runtimeconfig.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):253
                                                                                                                                                                                                                                        Entropy (8bit):4.585549446641918
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                                                                                                                                                        MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                                                                                                                                                        SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                                                                                                                                                        SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                                                                                                                                                        SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59472
                                                                                                                                                                                                                                        Entropy (8bit):6.232150161817101
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:W36VpFishtGAb2BAst2t1z2C0qePts2+lpmjouk3KmGT1S3k7ZJSEpYinAMxCcOO:rFan4tkC0qH2ip2ouXm21oGJz7HxnOO
                                                                                                                                                                                                                                        MD5:2E0FAEE04F8632291F811074ADD4C253
                                                                                                                                                                                                                                        SHA1:0BAE9ACC374F92683691B335325A88FFA3B4109A
                                                                                                                                                                                                                                        SHA-256:2CEB68FE0E177998268E78FCB45065A2B53ED4E8E74F751B6AA993CC2AEACDE5
                                                                                                                                                                                                                                        SHA-512:A312A2B8689202032DDDF5240EF5092977F47BCCF19D0D1568D392EBD51040989453FFF1DB8B7F637E672843E701DD88BEFD80158F3209C089BC08670B7B8B2E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.%..........." ..0.............Z.... ........... ....................... .......b....`.....................................O.......t...............P(........................................................... ............... ..H............text...`.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................<.......H.......4P................................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{"...*:.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):54352
                                                                                                                                                                                                                                        Entropy (8bit):6.249382958975322
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:yjPkdaG23BdHAnoekKhbdzn9kpWcwfRLzfoZrx6nnPMfm8XoJE5GtSdhEpYinAM8:IPGShI7mW1ZoZrcn0e0oJ4GtuK7Hxe
                                                                                                                                                                                                                                        MD5:59E6366CBB001376D03B59886F8CC984
                                                                                                                                                                                                                                        SHA1:A9B93839F4960D0E8CFAAEE15439083615AC14AC
                                                                                                                                                                                                                                        SHA-256:902725DBF9F7950D1A4A4F0057CAE5E14816F0ED686BF2422C03561AB13DA870
                                                                                                                                                                                                                                        SHA-512:DC77203DCF26337FA34094F1C954128ECC3C9C72F0F53B46598F6272012749A523AE38C5EE6D55376084568C2D97FB07104EA1D703318231517924FC7BD095D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\............" ..0.............V.... ........... ....................... ............`.....................................O.......x...............P(..............T............................................ ............... ..H............text...\.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................6.......H........Z...c............................................................(....*^.(.......V...%...}....*:.(......}....*:.(......}....*..(......%-.&r...ps....z}......}....*..{....*..{....*v.(......%-.&r...ps....z}....*..{....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*J.(....}.....(....*&..}.....*&..}.....*.0..)........-.r'..ps....zs.......o......o....}.....*..{....-.r7..ps....zs/...%.{....o,...%.{....o....*J.(....}.....(....*...0...........s....}.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):311888
                                                                                                                                                                                                                                        Entropy (8bit):6.173014844115743
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+F0eAyIQXbKwPMF83GUN/7a3zyROhmogpE2/M3jw:+8QLKwPMKGUuBhh33jw
                                                                                                                                                                                                                                        MD5:6B314E447AD16EF4B8CBAA6CFF589F74
                                                                                                                                                                                                                                        SHA1:86647A26123AED74F2222E95C310C6186B03908E
                                                                                                                                                                                                                                        SHA-256:065EAB6C73BD96467BBC02FC3763DA01C7FB7065368C15E93192EA2F71975BE7
                                                                                                                                                                                                                                        SHA-512:131591A60F8C6251465F8BD103ABD499EDCE850BEE97AFB58A37B2ACFFACFEFDC93EB0EDBBF426220B9C9CAAE0A6212AAD5665A70F913FB96751CBB234A718D4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................f.....`....................................O.......................P(..............T............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..0...........{....-..{....(....,.r...ps....zs....%.{....o....%.{....o....%.{....o....%.{....o....%.{....o....%.{....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26192
                                                                                                                                                                                                                                        Entropy (8bit):6.56959956590535
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:vm++Js0qJ63NU17qtlR9iaTG/0wEzRjz6sMHJhOnAWM/aWsrNWUNyb8E9VF6IYiD:+lso3W7qHypd//SHEpYinAMxCsB
                                                                                                                                                                                                                                        MD5:568B70E6ACC43FA5D6D1B748323B7100
                                                                                                                                                                                                                                        SHA1:33C1E279743914ECAAD4BF3F3581D1914260C8F9
                                                                                                                                                                                                                                        SHA-256:1951AC489A3A924874B67DA82E7DB6C0F4BC599E3C38A8E6EDE0A5C33DD45391
                                                                                                                                                                                                                                        SHA-512:EAAB9BA61D0ED958C6D1A4DF0E95CE5AE2FFCD6A6E6C9FAE5522902FB72586EE16EEF397D94B3625B820113976ABC8F7DABFB55999B8802988D9B20201BC5C66
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..2...........Q... ...`....... ..............................t.....`................................./Q..O....`...............>..P(...........P..T............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................cQ......H.......X'...#.......... K..p....O.......................................~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(....,.r...p......%...%...%...("...*....()...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):34896
                                                                                                                                                                                                                                        Entropy (8bit):6.492292235898413
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:IRnQyuN61yKW1Guh2dIewN3czA8i1KraoAEpYinAMxCU6:IdgA1yKW1L0dkNc081+oJ7Hxw
                                                                                                                                                                                                                                        MD5:7AEC82F5B955AB320971CF18B13D63E1
                                                                                                                                                                                                                                        SHA1:C7BDA552D6C44FF7F5546AF6BAEAF0DAB0A6C278
                                                                                                                                                                                                                                        SHA-256:6D46A7EC7CC3DF3663B359F54F0F7B9B47EFED4AEF728C6DE117091F3838AB9B
                                                                                                                                                                                                                                        SHA-512:622E1E8373AC5641D0B6C77FF80A422D4A18EED790BBBE675C48A970318736862EFDBE28829A53AA631F8D387A10D14EC86FF748D4F33183CF6D331C47CAC426
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........." ..0..V...........u... ........... ....................................`..................................u..O....................`..P(...........t..T............................................ ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......p/...9..........Hi.......t........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...( ...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24144
                                                                                                                                                                                                                                        Entropy (8bit):6.681463392080136
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:T9FrztnCvZrlMIPTlLn9by3WKbW97nW2Nyb8E9VF6IYinAM+oCut8X7De7uA:Tbztn2AmxniKnEpYinAMxCZeX
                                                                                                                                                                                                                                        MD5:63CC618B9FEC8C9503DE8EDB5B7FE6EE
                                                                                                                                                                                                                                        SHA1:C994A8DFD89F5C4329744A589D35AF40B610F6B9
                                                                                                                                                                                                                                        SHA-256:5C5D3B9FAA3E3D3310BEC715473C58D490FD285344B95A381A7F46E19216FE66
                                                                                                                                                                                                                                        SHA-512:96C4F352951320309EC880F3C8BE6558633226DB577D51A22C7EE7B6EA2CF9960AF3B10D826F59DC80E14350BE684FE0836F1A31B19714C98475633BB3919D1C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.$..........." ..0..,...........K... ...`....... ..............................pu....`.................................uK..O....`...............6..P(..........XJ..T............................................ ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................K......H........%...............B.......I........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19536
                                                                                                                                                                                                                                        Entropy (8bit):6.730982430474166
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:SsGu6f0Ux3STFWUQeWmNyb8E9VF6IYinAM+oC/tUlUK7:SsGuWRTuEpYinAMxCWlUU
                                                                                                                                                                                                                                        MD5:E82CC9FD71064E072AE181432720A909
                                                                                                                                                                                                                                        SHA1:22FBE31E07A80B1B8DB0B97A3978ACCBBDBB0455
                                                                                                                                                                                                                                        SHA-256:842D59E7D1116B4072B2A18667EA381E7D2E449F14CABD89DB495EC3B4E4BEB5
                                                                                                                                                                                                                                        SHA-512:682DE1D3AAD5E08A78F7B55524B47926BDF2C249ADA483341DCE021BF1C21EF9EC1BD67BEC24230823253ED51251D5F20FA388E055B88CB5BF35275BAABB36B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3Y..........." ..0.............~8... ...@....... ....................................`.................................+8..O....@...............$..P(...`.......6..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................_8......H........"......................|6......................................:.s....o....&.*V.s....%.o....o....&.*"..(...+*J.(.....~....}....*^.(......%-.&~....}....*2.(....(....*..(....o....r...p.{....r...p(....*.0../.......(....s......o.....8.....o.......(....t ........r...p.o ...,.r...p..r7..p..+n.re..p.o ...,.re..p..r...p..+P.r...p.o ...,.r...p..r...p..+2.r...p.o ...,.r...p..+....(......(!...t ...(....+N...o"...o#...(.......r...p.($.....(!...t ...(......,...r...p.r...p(%.....(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27216
                                                                                                                                                                                                                                        Entropy (8bit):6.556776563317454
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6Y5JfZB7plLDwLx0umTZXA/XABRfhzWqr6WpNyb8E9VF6IYinAM+oCeB8euvQ7:/rd8Y0wRhzpEpYinAMxCeXL
                                                                                                                                                                                                                                        MD5:F52ACA731FD999D93962B96D86E6B4FA
                                                                                                                                                                                                                                        SHA1:BE07B77866379A49FED237471F232CBE348A1BA1
                                                                                                                                                                                                                                        SHA-256:924B4D2E997C16CE54101D05E8E7298F3D0D0FC9611957CEB5738C7224909DCC
                                                                                                                                                                                                                                        SHA-512:A5EDE09FAE3ABE0FE68F7D04BFC3A382FD0875BD87F4B80465DDB8C0645E4B9AA9FE6DAC5BE18B1F1E5CA32869E00E481103AD4A308AAE2208F857C90D0F4ACC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<d..........." ..0..8...........V... ...`....... ..............................S.....`.................................?V..O....`...............B..P(...........U..T............................................ ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................sV......H.......P(...&..........lN..0....T........................................(....*^.(.......,...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26704
                                                                                                                                                                                                                                        Entropy (8bit):6.562781030074369
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yI2/cK/FWwbGXC8e1lje1l6RWkb2W+Nyb8E9VF6IYinAM+oCE1sD:yI2/cqFWwSl6hXuEpYinAMxCrD
                                                                                                                                                                                                                                        MD5:63072DC72E16744763AB647135C09C60
                                                                                                                                                                                                                                        SHA1:7241FA172D6B5F06AE99FA4112EF981010489797
                                                                                                                                                                                                                                        SHA-256:5DA668B31F3E78DBCB3FA2D261694944DE451C757D62AD57173EF7B1637DA7D8
                                                                                                                                                                                                                                        SHA-512:076906EC35DF1550467E4B2B7070D87F2EE84605D595699E9BC0376681A5637BBB9EC1B1A0933419EDC81F807637767D68ACD1ECAFF0EAAFCADE425DCDD0D762
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^............" ..0..6...........T... ...`....... ....................................`................................./T..O....`..l............@..P(.......... S..T............................................ ............... ..H............text....4... ...6.................. ..`.rsrc...l....`.......8..............@..@.reloc...............>..............@..B................cT......H.......|'..t#...........J.......R........................................(....*^.(.......6...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..( ...*.*.(....,.r...p......%...%...(....*...(!...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25680
                                                                                                                                                                                                                                        Entropy (8bit):6.5096189037099315
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sw6kebL1iFn6d6E1oE1LdAAW9ACWHNyb8E9VF6IYinAM+oCvcTE920l:AZbcWus/EpYinAMxCgc
                                                                                                                                                                                                                                        MD5:19DAA869DFDD8A67F4F7EEE1C955C7D1
                                                                                                                                                                                                                                        SHA1:3BA0358E9619ED1686A73E8955EBE0C4A61D6EDD
                                                                                                                                                                                                                                        SHA-256:F2AB144E0B9DA3689BC1AFE5AFD8721BBB523EC01C1299176FB5EB11A4B9FCBA
                                                                                                                                                                                                                                        SHA-512:0F42E9AF420A8E0A7547E7D172B4E0238698FFEBF65494F1C4C241E90CEEF53F7238A7423A216B8A86366EF16050B5836FDAEC63570BA468BE1CE5973C27DDB5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z..........." ..0..2..........6P... ...`....... ....................................`..................................O..O....`...............<..P(...........N..T............................................ ............... ..H............text...<0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................P......H.......x%..d............C..h...DN........................................(....*^.(.......!...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37456
                                                                                                                                                                                                                                        Entropy (8bit):6.451863278895808
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:gi4PV4eWxaVsQLqyCekI/q/xGljjEpYinAMxCkmg:gaVxa2QXUxajc7Hxpj
                                                                                                                                                                                                                                        MD5:A2B120986B4BB34F8BFA9ACF877A6581
                                                                                                                                                                                                                                        SHA1:3E759CE7F93835E8EF7E5F5685A64BBC77FE69A4
                                                                                                                                                                                                                                        SHA-256:DB4B3ECF1812E0BAF0326A94553049FE9DD613613FF344331A8C4A5BF6D062D8
                                                                                                                                                                                                                                        SHA-512:74C787EE77B34159ABC3FFD2CFE75B6855D03415F2E7334F5FD5BF20436B6BF10A65F9BB97143B631E3A56EAFD79D214489B3C393D48321E53DE88518CFF070A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..`............... ........... ....................................`..................................~..O....................j..P(...........}..T............................................ ............... ..H............text... _... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B.................~......H.......@6..p@...........v......@}........................................(....*^.(.......8...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):44624
                                                                                                                                                                                                                                        Entropy (8bit):6.263023686004545
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:X8+cxuPn//hpz2XCkCkCdvAb4b4qox06OoV0F8l0HCTpw0wo0emqEpYinAMxCm5w:M+cxuPn/bvvE0Q0HCNfBsL7HxLG
                                                                                                                                                                                                                                        MD5:8F23259BF8157AA26FE2BB5697CDE18F
                                                                                                                                                                                                                                        SHA1:14E9EA552451E4EA72D77D124FE1330D6F352E26
                                                                                                                                                                                                                                        SHA-256:836863E3C12887EF2BED748EA63903C47DB9D42FDDAB607CD0BA47981A2F7FD8
                                                                                                                                                                                                                                        SHA-512:98FE8F297F1834DC09926E1B3E8AE37EAB8DF183F913453A81A779A10DB0FF93E4F3FE895206C857E15A62882C7EC32121D27A33CA3413B645E9E70A3A3F263E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9t............" ..0..z............... ........... ....................................`.....................................O.......................P(..............T............................................ ............... ..H............text....z... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B.......................H........>...M..............H.............................................(....*^.(.......B...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......( ...-..,..*.*.(....,.r...p......%...%...(!...*..("...*.(....,.r...p......%...%...%...(!...*...(#...*.(....,!r...p......%...%...%...%...(!...*....($...*..,&(....,..r...pr...p.(!...(%...*..(&...*.*.(....,.r...p......%...%...(!...*...('...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):82512
                                                                                                                                                                                                                                        Entropy (8bit):6.280844319966934
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ENLmvi666OjIX0h9zMPvHBWCaRweUG4DynjEZnB87Hxk:K66fjLb8vH0CiUG4DyneB8S
                                                                                                                                                                                                                                        MD5:10D7DB14873F7D90062ED05370F74608
                                                                                                                                                                                                                                        SHA1:E57473D9CAF6417BEEE24AD59226F0DB6D9A2596
                                                                                                                                                                                                                                        SHA-256:5A6E417DFC3349517D74CB22B220B5EDCF5AA7CAFBF858FE21F49ED0C9FCBF8E
                                                                                                                                                                                                                                        SHA-512:D74EEB2A584D10E71582B1EA8CFF08C4968333CF620FE60AF61206375BD7CDC498104DEAA0082EFC47FE850D44FBED5031E3C69301CB3C41D3C70CA1805921AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.............N.... ...@....... ...................................`..................................-..O....@..................P(...`.......,..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................-.......H.......pj.............@...0...p,........................................(#...*^.(#......p...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*.~....*.0..........(....,..*..(.....o$......&...*...................0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r...p......%...%...(&...*...(,...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22096
                                                                                                                                                                                                                                        Entropy (8bit):6.574986500526706
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5lfkJv/RYTWl6+MTxMufuMc8CWsbhWVNyb8E9VF6IYinAM+oCUUF:5lcJnRYTwIjJ6mEpYinAMxCd
                                                                                                                                                                                                                                        MD5:A2E5939939DEC7631230F0CED43CACAB
                                                                                                                                                                                                                                        SHA1:2946F6E44885EA041D307E6B535D21F4594487FC
                                                                                                                                                                                                                                        SHA-256:BA54C5630AE9E7994E5489C7DA9A80E4E3C9CC46921BA9EC9B3B625E35011FFB
                                                                                                                                                                                                                                        SHA-512:0A9130E542F4E127CA3BDD51D64EC75DB8793C66815CBB6FD17B5C8788594C0FD7EC7CD7730DAF84BA275A35DC95F9B56FE73A25189B4C538CDEB289696EA94E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.."..........r@... ...`....... ....................................`..................................@..O....`..................P(...........?..T............................................ ............... ..H............text...x ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............,..............@..B................S@......H.......T#..............H:..@....>.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):43600
                                                                                                                                                                                                                                        Entropy (8bit):6.435989681911625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:uHxWCQ4MPJG3cOeeapdUgsWflN+Qu5cEpYinAMxCT:uHxW58re3pdUqN5u517HxA
                                                                                                                                                                                                                                        MD5:5B11E661BC8B53F6886776E6C0AF024E
                                                                                                                                                                                                                                        SHA1:644BCFAD4D5DE8ABB74A692DB728C6EB4EA5DCEB
                                                                                                                                                                                                                                        SHA-256:2F329F4B16D0F1DFA1CFF2DD699F6B28F30F45F61F6AF8B393CB7A13358B0E20
                                                                                                                                                                                                                                        SHA-512:EB3F13885303313697B347F330F102A8C6467A3AAC402FE0110993B4B7ABB3FC42387A50933E4B466CEA614C4B0434A9C94A04CB1229691F7E4AC87DCF4AA276
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8..........." ..0..x............... ........... ....................................`.................................g...O.......p...............P(..........X...T............................................ ............... ..H............text....v... ...x.................. ..`.rsrc...p............z..............@..@.reloc..............................@..B........................H........:...P...........................................................(....*^.(.......O...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r...p......%...%...(....*...(%...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45136
                                                                                                                                                                                                                                        Entropy (8bit):6.356515470188593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:LlwMU3jMMSPNueKQWjRUILOK2Ksf/qSCgHgUsJJEpYinAMxC8:LuMUJqLWjRHFtsHqSCgHgUsJy7Hxj
                                                                                                                                                                                                                                        MD5:EE514D62931BB1B8D2F76597F4B5AAC2
                                                                                                                                                                                                                                        SHA1:F9052A124653BA28CE8ACB3DFF1DA7E261CEB92D
                                                                                                                                                                                                                                        SHA-256:6C0F0AA4A3772448A688AB8E086861DE8026E3D8A97EF4A8D513AA9E5535246C
                                                                                                                                                                                                                                        SHA-512:74CAA313BD77D88CB9EAA5E35E6388B32734E605DBB514130F1FCBE03FF4D7D1D7F9EE884F97975BAF2FE7D76072D9056116FA6BBB59C0786513354B589993EE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.:..........." ..0..~............... ........... ....................................`.....................................O.......H...............P(..............T............................................ ............... ..H............text....|... ...~.................. ..`.rsrc...H...........................@..@.reloc..............................@..B.......................H........C...O..........H.......8.........................................(....*^.(.......9...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28752
                                                                                                                                                                                                                                        Entropy (8bit):6.5663544647348155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sfGp7YacaEaVNbG12flBF76euwMw0tXXVfFQkzsG9kni7QXRdQWibdWPNyb8E9Vv:owVNz9BF76ejMbmHXRQAEpYinAMxCxu
                                                                                                                                                                                                                                        MD5:451165A322F6BDFAB22D2640CFEBD88D
                                                                                                                                                                                                                                        SHA1:E0D874B7FC80611581E745AD721540A3A20C7E1D
                                                                                                                                                                                                                                        SHA-256:A982218CD6CEDB1DE7D4286C8B4E785F16A59AF06F780A88D250CFC41DA3B941
                                                                                                                                                                                                                                        SHA-512:227B4D98A758E13AE84453E7FE2B3970D95EE195192DC147B51316F73F5B6CFD68E629DA15A314AECA19084B3A9A080D7E6D4E6D3826D070F7081EA8E8BDC7F4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+............" ..0..>...........]... ...`....... ...............................7....`..................................]..O....`..8............H..P(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...8....`.......@..............@..@.reloc...............F..............@..B.................]......H.......p,.../...................\......................................:.(......}....*..{....*6.(...+(.....*:..(...+(.....*..{....*.0..J.......... ...%... ...(....}.......{....o....o....}.....{....o....,..{....*( ...*...0..?.........(!...}"......}#......}$......}!.....|".....(...+..|"...(#...*F.{....%-.&*($...*..(%...*~r...p.....r...p.....r)..p.....*~r...p.....r...p.....r)..p.....*v.(%.....%-.&r?..ps&...z}....*..{....*"..}....*..{....*"..}....*..{....*~rU..p.....ru..p.....r.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):56400
                                                                                                                                                                                                                                        Entropy (8bit):6.30490980453766
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:uBu8CE7AFg+0ITvhADGmnnbaTfP63+R3u9q09ejEpYinAMxC881:ucfWA2+DjaD/nnba+3uwq09ec7HxS1
                                                                                                                                                                                                                                        MD5:6A78A125A2E3E232E5CA99DFC52F5BAB
                                                                                                                                                                                                                                        SHA1:B9926C0419472F8BCC5DD23532E29C1DA34EE17A
                                                                                                                                                                                                                                        SHA-256:DE00084D93DDC8DF65BF23D70DCE1F9DFAF4277C381EED19E9F96A18D1A77C57
                                                                                                                                                                                                                                        SHA-512:624873C03967886E4C6A628034B0ED7C7747CCFD32641194F4F5B8827D3555DC28590533B69D03F2597F218CD010E5D70B0CED024736B20ADDC68367346EF494
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ............`.................................=...O.......................P(..........L...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................q.......H........G..Tu..........................................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r...p......%...%...(....*...($...*.(....,.r...p......%...%...%...(....*....(%...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):63056
                                                                                                                                                                                                                                        Entropy (8bit):6.287321950681953
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:J+UfRQY8PGNWovMLJYBjtLgnuAAAAAknwd45FnrfMq1/yJuoiYblHJg6GOmDulEh:J+tY8PIiq51wcFnDMsno7jRma+7Hxd
                                                                                                                                                                                                                                        MD5:55EBC669459FCC49F58F96F9003B9ADB
                                                                                                                                                                                                                                        SHA1:B00BC54B8BB572A91E6B5449CA7E161244806895
                                                                                                                                                                                                                                        SHA-256:718EF8C135AEB2C5B248F433758441503CC3F42E70946666608AFF3AEE495DFA
                                                                                                                                                                                                                                        SHA-512:AF18059F3E3E4304FB877FDF2ED61D53D072BB2B3D8E1EBA0D4B74ACD04108063F7853054BBF97A93850821A543A57FEE02E0252C8AFD409335F916B56D0A2BE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........N.................P...(.........................................(&...*^.(&......J...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*.0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27728
                                                                                                                                                                                                                                        Entropy (8bit):6.551086012985974
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Y/r0yw26S3QgV/UxNmsUspvnipmgNRLGc3WxsBU7RWBzNyb8E9VF6IYinAM+oCfX:8r0j26i92L6zBU7uEpYinAMxCP
                                                                                                                                                                                                                                        MD5:234B690507F9FAB8A2AE2DDED1357C17
                                                                                                                                                                                                                                        SHA1:27B4B381DDA5DB266AC6318B410BF25EA9F8A7F1
                                                                                                                                                                                                                                        SHA-256:7A4598E103896F4F5CDE4FE1C1A9F2D1535C26F8D1A4F97C9332EF3C40A439D1
                                                                                                                                                                                                                                        SHA-512:28362763CA8F620217DA4E9ABCE43CCEB0FE952B09AFFD240EF1B8327424FD09E255CEDAFBABF48D0D9691D81A5B07F3BF345947AB5567E41E8F47CE5ADDB9F0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Dv2..........." ..0..:..........bX... ...`....... ..............................M.....`..................................X..O....`..L............D..P(...........V..T............................................ ............... ..H............text...h8... ...:.................. ..`.rsrc...L....`.......<..............@..@.reloc...............B..............@..B................AX......H........&..X+...........R..`...xV.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51280
                                                                                                                                                                                                                                        Entropy (8bit):6.367904513182944
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:fTGWFIlYoY5b3OxMZnndnnennnnnnRt3nV+JEtpzU+uujK2lBJqFsSjKcb7SEpYc:fiKIe9JyvSCG2l+NX7Hxheo
                                                                                                                                                                                                                                        MD5:D024BA9294E580CE20266BE92144CE21
                                                                                                                                                                                                                                        SHA1:C84A8789B37D8A086FD9750E92F870CC271DBBF2
                                                                                                                                                                                                                                        SHA-256:207592672324F9B89D88DAA01E18A9501FFDA351908FADFFA1D38FE779594524
                                                                                                                                                                                                                                        SHA-512:EECE0E3FDDE38170CA8F9B5E154224EA317314B97D8C87E3F501D50C3059F5CD39E0D45272279F523430206219D474E3F8AA4754B23489218DBE007E433DA3C6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D..........." ..0.................. ........... ....................................`.................................1...O.......L...............P(..........0...T............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B................e.......H........C..Hl..........H...h.............................................("...*^.("......X...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*.~....*.0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19024
                                                                                                                                                                                                                                        Entropy (8bit):6.636376636323213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ev+kBD/v7WJZVMWUBNyb8E9VF6IYinAM+oCCb4RC:EmMbuaEpYinAMxCGIC
                                                                                                                                                                                                                                        MD5:EC620107577C70EF9A35370ECDC7E48E
                                                                                                                                                                                                                                        SHA1:D5B1D31BE728865CD2BE805A99899CEBE9FB9543
                                                                                                                                                                                                                                        SHA-256:149785F6C1069C4AEEDC4B13730BEE3664EB714F44EEDCFA15D097FFACEA5548
                                                                                                                                                                                                                                        SHA-512:60391DAD37D27D105ED3DB4D8DD5F06BCF2EB69CB06D9026A8C2CF713884C4EF3A9E6C13A5B6669B834963055A5E18B43D94BC4DD10C781F0D4D5A860B4C5409
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+8p..........." ..0.............>4... ...@....... ....................................`..................................3..O....@..(............"..P(...`.......2..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`....... ..............@..B.................4......H.......d!......................d2......................................J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*.0..p.........(....-.*..-.r...ps....z.....o......(....,.*r...p.......(.......,..(....(......%-.&.+.o....( .......{....(....*"..(!...*..s....*.*..(....*.BSJB............v4.0.30319......l...D...#~..........#Strings....x...(...#US.........#GUID.......P...#Blob...........W..........3....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25168
                                                                                                                                                                                                                                        Entropy (8bit):6.602492244793594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZzTu6iOUdGgvklNpdOHhvVhZQVW27FW8Nyb8E9VF6IYinAM+oCC/Fi:ZziZOwklFYh4jEpYinAMxCd
                                                                                                                                                                                                                                        MD5:25085314DBB9591FB8E8069350D1DF4B
                                                                                                                                                                                                                                        SHA1:31C55CE68D4C2EB2BD7528B5FAA63330E9F7F10D
                                                                                                                                                                                                                                        SHA-256:4F3913937EC411FF2EBE7AFAF10A2B55F572A6F1763BB3B1320E93540176570B
                                                                                                                                                                                                                                        SHA-512:4EB7215BDB25D233A069B536A5A7129528F66978E9D2A76F2BFF8DFE9A08A8406B8D4F496E1B1AA0B19E15E4EE5DB308848723180D7081697ABDB1D542BFF0E5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....dn..........." ..0..0...........N... ...`....... ..............................,.....`.................................GN..O....`..`............:..P(..........<M..T............................................ ............... ..H............text........ ...0.................. ..`.rsrc...`....`.......2..............@..@.reloc...............8..............@..B................{N......H........'..$%...................L........................................(....*^.(......./...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..-.r...ps....z.o....(...+(.....*..-.r...ps....z.-.r...ps....z.o.....s!...(...+(.....*..-.r#..ps....z.(....&.o.....(...+&.*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*....0...........(......%-.&r7..ps....z}......%-.&r...ps....z}......}......o

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33872
                                                                                                                                                                                                                                        Entropy (8bit):6.563086985369541
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:T2x4wbbh7Kx8kJ3yiW8/zKeGmBt1qm1CS1yvhGcRtquW3LUWTNyb8E9VF6IYinAW:5wvh7KxdlW8Jvr5EpYinAMxC2n
                                                                                                                                                                                                                                        MD5:AE55839BDB2A80A88E423363DE26646B
                                                                                                                                                                                                                                        SHA1:216B449838A7C2FFD182D1B78BD1FE4DA4E60BDE
                                                                                                                                                                                                                                        SHA-256:274B5887C6D0CEAAF7CBC6D613FF7D69EFA6314AF7950C75E5F91ABA421A60B0
                                                                                                                                                                                                                                        SHA-512:AF7EA961214F17A09A27AF932F8528162C876E5D74410AAA6D96BF4F8412EECD6F93DC28F7F657BFC7D92486480AABCC45AD5E35B6EDF61272E6F68F5B40214A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W!..........." ..0..R...........p... ........... ....................................`.................................9p..O....................\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B................mp......H......../...>...................n........................................(....*^.(.......E...%...}....*:.(......}....*:.(......}....*:.(......}....*:.( .....}....*.0..+........{....o:......+......o!....o".....X....i2.*:.( .....}....*2.{....o5...*..{....*..0..P........-.r...ps#...z.o$...~....(...+.o$...(...+('....o$...(...+('....o$...(...+('....*..( ...*.~....*.*.(....*.s.........*.~....*..( ...*.*.s.........*..( .....}......(......}......}.......}....*..{....*..{....*"..}...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45648
                                                                                                                                                                                                                                        Entropy (8bit):6.394614635924562
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:vX8pDT8XP6hA+wMaLWCzAVLOPnyEpYinAMxCwC:vXiDTaP6hfY1GOPnT7HxRC
                                                                                                                                                                                                                                        MD5:6543EA508CA44C208A5E7387188069B8
                                                                                                                                                                                                                                        SHA1:639C57EF6A4248852E799FD6FE085EA3362CB856
                                                                                                                                                                                                                                        SHA-256:C562A4A38C9FB59873702712D070BC97D10BEAEF5257577CDEC7CB38101B017C
                                                                                                                                                                                                                                        SHA-512:4F70074085869A750552A51F8F43517688DCF789327F000795F56F87E4A34CFF1AC7D7B1988E09F1E8F67360A1C24166303D5691FEE033A9FF4D81674FC56C99
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+..........." ..0.................. ........... ....................................`.....................................O.......(...............P(.............T............................................ ............... ..H............text....~... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H........=...X.............X...H........................................~....*..0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(....,.r...p......%...%...%...(%...*....(,...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23632
                                                                                                                                                                                                                                        Entropy (8bit):6.6336314644715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:noePm+VIkOdHt6Zx8HignlSZYT9zWzL0WtNyb8E9VF6IYinAM+oCD7P5V:lPzVIko9FD9o3EpYinAMxCnP
                                                                                                                                                                                                                                        MD5:B04F71ECBEB0CD1FC15679B5F2C83C18
                                                                                                                                                                                                                                        SHA1:69C7C2D7B66967CD707FF58D7076162BD978AD1F
                                                                                                                                                                                                                                        SHA-256:019127850A8B5942C77ADA38D80BCCA4ABD739BD78A038DDD0C5A04AB817B092
                                                                                                                                                                                                                                        SHA-512:24A75E1F6CF53CAEAD02BC9A0E7A73B163B83B111333656F5FB5BF36AA9F93F4B71C24F22B30774D902ED51529361B529775C9F2EBDB75114E95D2E8DD48509F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................Y....`..................................H..O....`...............4..P(..........tG..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......$$..."...................F......................................:.(......}....*..{....*:.(......}....*..{....*..{....*"..}....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..-.r...ps....z.o.....o......(...+&.*...0..V.......s.......}......}.....-.r...ps....z.{....-.r...ps....z........s ...o...+&.o....(...+&.*...0..).......rC..p..(#...-...o$.....+...........(%...*6.~&...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59984
                                                                                                                                                                                                                                        Entropy (8bit):6.316388481082354
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:+CD3yk2B8+9PwwOxC8wZLq6J4q2r0qafouRVPvW3nEpYinAMxCxq:hkB8+94xxBmm6mqaBafouRdiA7Hx/
                                                                                                                                                                                                                                        MD5:692E60666691AA7C7A3D41B9B84E9671
                                                                                                                                                                                                                                        SHA1:C16EF8101414C2850C788DD728E2F1134286A4D1
                                                                                                                                                                                                                                        SHA-256:D73BCD766C323469E4DDAA3E28010CDC1BADBF18DFE9914B0930AE3496E6CF1E
                                                                                                                                                                                                                                        SHA-512:28CA49180AD5EFD477B957D52786E52A27A732302B0CDE634ADE7AF8A8A9F25DBD06E31245A7EB323308859216650CAFC072BF21CC1DB4FA45BC77B1BF1C0BD0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............N.... ........... ....................... .......>....`.....................................O.......H...............P(..............T............................................ ............... ..H............text...T.... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B................-.......H........F.............h.................................................( ...*^.( ......?...%...}....*:.( .....}....*:.( .....}....*:.( .....}....*.~....*.0..........(....,..*..(.....o!......&...*...................0...........(.......("...-..,..*.*.(....,.r...p......%...%...(#...*..($...*.(....,.r...p......%...%...%...(#...*...(%...*.(....,!r...p......%...%...%...%...(#...*....(&...*..,&(....,..r...pr...p.(#...('...*..((...*.*.(....,.r...p......%...%...(#...*...()...*.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41040
                                                                                                                                                                                                                                        Entropy (8bit):6.341422324702679
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:zlx+oQSHqk49NI0OP7NWEfDkkuiEk3LViMEpYinAMxCog2:vVQSyI0OP7NxfAkuiEkbwF7Hxf
                                                                                                                                                                                                                                        MD5:E6187CE82E5FDBB4814DBB4B75DF1A33
                                                                                                                                                                                                                                        SHA1:CA55691C125C9D8F7E3573A4EBDFCD5C6CD8576C
                                                                                                                                                                                                                                        SHA-256:B8D387926AF32BA9B40CC21C15B20B7458EACDE96AAD1A10B36365B66CCA184D
                                                                                                                                                                                                                                        SHA-512:D5C98142E58CAE512FDBCC8D5C4F639D4589FB022C79272E4530816F7D22C7595A93E9DADBD2636351B6DA10D3754DF14368FB5A7AAEA110D63931DB2781E56E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.;..........." ..0..l............... ........... ..............................W1....`....................................O.......l............x..P(.............T............................................ ............... ..H............text... k... ...l.................. ..`.rsrc...l............n..............@..@.reloc...............v..............@..B........................H.......H9...E..........@.......P........................................~....*..0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r...p......%...%...(+...*...(1...*.(....,.r...p......%...%...%...(+...*....(2...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):697936
                                                                                                                                                                                                                                        Entropy (8bit):5.963248155050918
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:deos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQJ:d0/POdGV5jfW5VnhFyvOB7jW5JMtP
                                                                                                                                                                                                                                        MD5:3FC646321E6E41A6F6DB0F6D68CF0838
                                                                                                                                                                                                                                        SHA1:F2D15576C8BE70F68548CD040978DDD6B4204AA0
                                                                                                                                                                                                                                        SHA-256:9C850C7B7B45844B125076F3774F81B71A24537B7F187E597C4CE3C6026F913A
                                                                                                                                                                                                                                        SHA-512:6CBB07C0E3B5D7607F1B4D4A3A4E78164CE3EC48E70935BB60FE5EA1B596814EDACD9491703F0A7D279544E14FC4C00691EE70505B2A758617690C77682ACEBE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..t..........N.... ........... ...............................F....`.....................................O....................~..P(.......... ...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................-.......H........p................................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{Z....3...{Y......(....,...{Y...*..{[.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285776
                                                                                                                                                                                                                                        Entropy (8bit):6.198599890196997
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:5MiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcym:5MZpj06vUsMjbQ77D++
                                                                                                                                                                                                                                        MD5:5B74F4D8E9D47BD1F248193AF6100960
                                                                                                                                                                                                                                        SHA1:25EF85F59695D0D60B4FD0490AD39A6BBFE61DA3
                                                                                                                                                                                                                                        SHA-256:6BA0EE588B46E3D05A40955576E1D0F2C82EB315D254F1D3F587A9FC51A828EF
                                                                                                                                                                                                                                        SHA-512:63CA5F2E05A64028E084BA4760250B706836F8AE74A95F9F81262788BF49DD56E56FA371B3792B96C0F073DE45BF85FEA6AB8A67DEF5BD4325D7E9A37CF7E938
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................%....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38992
                                                                                                                                                                                                                                        Entropy (8bit):6.295960647161023
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:gdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIlo:gxuJRRsnHnyhQupytM9z7O3zfXYvj8rz
                                                                                                                                                                                                                                        MD5:B4DBAA3533A39B9374EC9A3DF9CFE2D0
                                                                                                                                                                                                                                        SHA1:38906D9D3FFF7C58CF4D2BC0C2F54A91EDF2CAC2
                                                                                                                                                                                                                                        SHA-256:73396F9B1AC255E3877835B4A4FA4E00623795040A1C54B14C4D504CA83480C2
                                                                                                                                                                                                                                        SHA-512:BF1534427C3C94FF19C451E19887852A530FEAC1C285D65AFCA782374558F041CC85EB3F4BC37014809A19E2E4F8643842B9AAC5E92A1DE9C0C613096A6A185F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27728
                                                                                                                                                                                                                                        Entropy (8bit):6.554466088668113
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYBNyb8E9VF6IYinAM+oCKtKq:JSCZUl2O1zCnXyzD6EpYinAMxCkT
                                                                                                                                                                                                                                        MD5:643D074241473A3DA524DCF514C1AE47
                                                                                                                                                                                                                                        SHA1:7AA5A6CE315CD3DECE4F5A14F92A3C13F99514AB
                                                                                                                                                                                                                                        SHA-256:5763B143306B3EAF23871C4DE30F726A024A68A395E26C1CD0EA3D873CA6EA03
                                                                                                                                                                                                                                        SHA-512:6947C00384C518DB1CBA1BA19F65735D01A7DCF96CD2267FCB927164E6392786D7037BDE8C6984193E96A753A874252E22BDC6F5AAA3C75033A79D5356221E64
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ....................................`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41552
                                                                                                                                                                                                                                        Entropy (8bit):6.321443170649413
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:VUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BWEpYinAMxCZv:mLrgfPw3mXREaX7Hxwv
                                                                                                                                                                                                                                        MD5:0433BB0C58BFD97CECEB68FD52A542D7
                                                                                                                                                                                                                                        SHA1:AD638A6A23C0516285338F5FDA7C1AF3BF0BE4EC
                                                                                                                                                                                                                                        SHA-256:7E873F261F95AEC61C2C7F6D05768C7306C3DD267128286FA646E2B6DF267CDC
                                                                                                                                                                                                                                        SHA-512:894526AC0ED29E296D4987F36CDC44D933408E8182C185FF5488355AE3D20C1896EA675BE0D27C58A74156DE3B17E7DD72B88CFBA4A0F9EBFC54FA3E51B21FAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ...............................d....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138320
                                                                                                                                                                                                                                        Entropy (8bit):6.160678928460797
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDtYQK:5bKKz1UeZk/Phv8lDuPai
                                                                                                                                                                                                                                        MD5:D755ED4DFE2F19DEB11ADE5CE5070F6D
                                                                                                                                                                                                                                        SHA1:F5A93E6C45004CB49398A54490F831CDAFF4349B
                                                                                                                                                                                                                                        SHA-256:936E73360824D627B42DD5401F8BC884E2B3B1D8A27267884275EB524CD7D672
                                                                                                                                                                                                                                        SHA-512:C49ABBDA336276A7DF68BF41355E23A52B6DD24079022A56A98C0B18D50FDF37BD3F469072B3F7903C94F7B7420E2CFCAC5A702D65155E0AA6C8C1AB2886EC1A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`.......k....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52304
                                                                                                                                                                                                                                        Entropy (8bit):6.150052387080182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:sb1yYPvLtCJY0E+F3xeHwNaleirtqCVlXmL+7NQ1OaY7c4EpYinAMxCODiTdS:sb1yYPL0E+F+8inVlXNP7cB7HxNkS
                                                                                                                                                                                                                                        MD5:60DCBA37E0501E08289CF911B0153FBE
                                                                                                                                                                                                                                        SHA1:ADE883B487F4C2B359510E417BEB16E74166FE76
                                                                                                                                                                                                                                        SHA-256:8C28A5CD3B8FA97CBD2B4C4D269EC409AC2680576B47B1E110BC79DD475514D1
                                                                                                                                                                                                                                        SHA-512:77EE88BB8D745DB3E6D9FED894B5B3275E353FEC6557663E60188BF4FB764BDECD89CA89950D5223E15446D93EE2DDB181A37DFBBFA182963DD72E23F80E114D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D............" ..0.............n.... ........... ....................................`.....................................O.......................P(..........,...T............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........4...h...........................................................~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(....,.r...p......%...%...%...()...*....(0...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):799856
                                                                                                                                                                                                                                        Entropy (8bit):1.7597847647294211
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:g/r3V645uWOL8/pCuPHnhWgN7acW5RjroUEKup3JdqnajvsKyhr:gx6Yi/uPHRN7y/oU7aJdlrsKK
                                                                                                                                                                                                                                        MD5:6A205C78D14FA91EFCA3AE531D1FF7E8
                                                                                                                                                                                                                                        SHA1:9E26E81DFDBA74AE261912993DE875D13BB0891C
                                                                                                                                                                                                                                        SHA-256:6444DFA03609248EFFD398E8562AF484AD0163A6C47CEE6D3A287FFDEF809AD2
                                                                                                                                                                                                                                        SHA-512:FD797F528519BD9B864394C2A45AFA5C7F94F58D1F2B55E0017987FB521C9F7292DBE1366BE778E60352FA8F9A08C10B7299AEA39DEEEE3A164BB105857FE7ED
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.$..........." ..0..............(... ...@....... ..............................Ap....`.................................q(..O....@..l...............p$...`......h'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID...,...l...#Blob......................3..................................z...............\.....0...........-.................C.................[.....x...........D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.,...3.H...3.^...3.t...;.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):132200
                                                                                                                                                                                                                                        Entropy (8bit):6.172481694612173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Nw50BNfe5FxLyWnongSwUp+k7bAMZ7cPd:CKNfQxRncgS7bBZ7y
                                                                                                                                                                                                                                        MD5:2D13C1C8539D6FD7A0717941BF0357AF
                                                                                                                                                                                                                                        SHA1:0E70EA88A866BAF660950FE74482149456557BDC
                                                                                                                                                                                                                                        SHA-256:644BB3A1AFBEA6B835422B0987376F04796E38BBBECC08C94023638EEBE57F4C
                                                                                                                                                                                                                                        SHA-512:A52AE3560B22C354F5CE89358219A7FA2FEAA12B376F72B8B53E6ED5E4B02703777CF1678744E7C038C29616975C0E63DFE17BFCB0A9D53B394452EC17AD979F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.D..........." ..0.............&.... ........... .......................@.......(....`.....................................O.......................h$... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................D.......\......................................."..(,...*2.{-...(....*"..(,...*2.{-...(....*"..(,...*2.{-...(....*.~+...*....0..........(+...,..*..(6....o.......&...*.............."....0...........(,......(/...-..,..*.*.(+...,.r...p......%...%...(0...*..(1...*.(+...,.r...p......%...%...%...(0...*...(2...*.(+...,!r...p......%...%...%...%...(0...*....(3...*..,&(+...,..r...pr...p.(0...(4...*..(5...*.*.(+...,.r...p......%...%...(0...*...(6...*.(+...,.r...p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1966298
                                                                                                                                                                                                                                        Entropy (8bit):7.9989725851892
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:HELBDnMsmlLa7SwvAQAQI3/ehJQmjJaLbjvQInz96/pU7jy5EFgxivT9rnzvDbOU:kJMJig3/ekmlQjvQQLUNxqrzrmniuxa
                                                                                                                                                                                                                                        MD5:B110BA42CA8D339B18293AC3F1E94F03
                                                                                                                                                                                                                                        SHA1:E21AC41D052159076B34823D2653DB0DECDF7F8C
                                                                                                                                                                                                                                        SHA-256:C860712A06A55CDDDFED7A9F86F0DF36DA1E475B9901148D07D5B02331BA0F77
                                                                                                                                                                                                                                        SHA-512:D81EFA032F3FF5EDC247440CFF1E911A82230B757C02534209FEAD7ECF630FE5308F9A32A78CC229F175CB447735D539EB61039BFB4FF9F8E77B8DBCCDA2B0BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK........@BrX................Agent.Package.Watchdog/PK........0BrXG...>.......7...Agent.Package.Watchdog/Agent.Package.Watchdog.deps.json.6.J.U.,..{..d.....7......#L..I.....L.PB.=...H.^Hnw....tq.!Ym.w.%@'.I.Xa...6|...@.z.V+C...o.Nu...!*..t....4..A...l..$....KX....p..&......?g..*..../.....I..(...U..g.4..BD.......i.J.+:........'..8...n.~j..,.[....Z.@l...t...d......9.X..8e..=..?..`....V>.......@A..D.........~. \:H..9..p.+...\.PGT8......~...AJ....... ..E...X..RJ.9.v.....;.i.#C.._..d.c.z..:....m....5..*...7....Jx...T....b.z..p.0f...8..ya..p6..ns.K,X.t...`{.j.....N..^.....A.....'n....ES...y.8b.....?Cg...}.......mjEg'.!Zs.,..o..3...~,E\........s..\.<.T..("..qMG)7f))X..x..Y..R..........k........z.r..[X..P....w....).k,.[.X[..4.z.)..Cy.e.D{.V|J.u..W..Bk[...<.o.@L.. .....s-.*..)....E].y'.....r....pQl^O..#......S.R.4.].b..E..e.i.:O..g..k...*...4..5...:. .."..y./....U....2......?.\C.....a...COlQ...XE....j..j........X...1...6.o.j.W....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.deps.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):39359
                                                                                                                                                                                                                                        Entropy (8bit):5.001117795800814
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Yt5DUarXaaec21v5Oc5/MNXP4RBTEQ88jnfA:YvDUarXaaecC5Oc5/mXP4TTEuA
                                                                                                                                                                                                                                        MD5:B4CB4604F8C7F02757664874D862DD77
                                                                                                                                                                                                                                        SHA1:6FDB3AEBCEAAFBCFE21333DA021DCD96F8B78B7B
                                                                                                                                                                                                                                        SHA-256:54289873BCDBAD889E6304E7E1B21D5973BBDD0E1AA73BD19382CFA23713D1CE
                                                                                                                                                                                                                                        SHA-512:46C27C62CE35512643EE023630A264BFBE1CA41B18BA44E1659B3AF26C0A44E3ABA73D7B90DB77835A76CEE33035791887B722348AA98CB2C4CC9B32F30CEF01
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Watchdog/1.5": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.2.4",.. "Atera.Agent.Package.Tools": "1.0.22",.. "System.ServiceProcess.ServiceController": "8.0.0",.. "TaskScheduler": "2.10.1".. },.. "runtime": {.. "Agent.Package.Watchdog.dll": {}.. }.. },.. "Atera.Agent.Package.Infrastructure/1.2.4": {.. "dependencies": {.. "Microsoft.Extensions.Hosting": "7.0.1",.. "Newtonsoft.Json": "13.0.3",.. "Polly": "7.2.3",.. "Serilog.Extensions.Hosting": "5.0.1",.. "Serilog.Sinks.File": "5.0.0".. },.. "runtime": {.. "lib/net6.0/Atera.Agent.Package.Infrastructure.dll": {.. "assemblyVersion": "1.2.4.0",.. "fileVe

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35920
                                                                                                                                                                                                                                        Entropy (8bit):6.456207579215664
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kj2zXcZGQ2FEagbbE9xEHCC+ud1VEpYinAMxCin:4YCauE9xc+K1O7HxF
                                                                                                                                                                                                                                        MD5:1E283F1A342729D63266E2DD2C851E2F
                                                                                                                                                                                                                                        SHA1:47B2551B2F9C3E9E6F2D68E67B1E0D0A539F315E
                                                                                                                                                                                                                                        SHA-256:98CE24EFC2EF680BFCD5D98E3AC273B148B0828D256ADBA003F57F66E1EC7FC4
                                                                                                                                                                                                                                        SHA-512:BD84EDA89C91DFEFBAEB6EA952A3BAF2EDBDBCDAB08B5A4437DB2A1F21F82A7BDDBDE9C12C00FEC8CD99FCE75CD945D189EED083BD0AD77DB00353B631DD5D20
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^-............"...0..Z..........2y... ........@.. ...............................r....`..................................x..O....................d..P(...........x............................................... ............... ..H............text...8Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B.................y......H.......84...D............................................................{....*..{....*..{....*..{....*..{....*..{....*..(......}......}......}.......}.......}.......}....*....0...........u.......;.....9....(.....{.....{....o....,w(.....{.....{....o....,_( ....{.....{....o!...,G("....{.....{....o#...,/($....{.....{....o%...,.(&....{.....{....o'...*.*.*..0.......... ...9 )UU.Z(.....{....o(...X )UU.Z(.....{....o)...X )UU.Z( ....{....o*...X )UU.Z("....{....o+...X )UU.Z($....{..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159824
                                                                                                                                                                                                                                        Entropy (8bit):6.224052560324469
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:5czkitvo4BpYN/6mBPry8TXROLdW5m4mUR39OOGu0kpNY:5A4NCmBPry/N2jOOHS
                                                                                                                                                                                                                                        MD5:0B7534A49A757D7525F7FC966D6CAF5F
                                                                                                                                                                                                                                        SHA1:2548A8D4BFE81D194A42A6DF1761AB910DECCBCA
                                                                                                                                                                                                                                        SHA-256:312755B522A3CB212A2D5E0DF2888699C35DE233A2DC198C37475E2BF414B0A1
                                                                                                                                                                                                                                        SHA-512:4D3105E7669093DF8364543571D839D0FD573153EED27D82860984797FB30853C3F5FB7707BF97442D4AB71783012FBBB3D9AB1A2D6ACBEA335F06B756FD4796
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.............../......./......./.....a.....S../........"...I../....I../....Rich............................PE..d......e..........".................`<.........@..........................................`.................................................t$...............`..@....H..P(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.reloc...............>..............@..B.rsrc................B..............@..@........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.7004397181410926
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUkov:Wtov
                                                                                                                                                                                                                                        MD5:4F935A094C5DB43100C1C6191F1D2257
                                                                                                                                                                                                                                        SHA1:D35F739210BF40D4E936975C00BF90F015DA6847
                                                                                                                                                                                                                                        SHA-256:01AC8D880AA7CB47A4C9475593AC81924D0D51CEB9C3276BA11F5848AFA05FE1
                                                                                                                                                                                                                                        SHA-512:C60461AE0FE1DF07D67FC55012DCDA8E2615DBCEAA885EE1DB9FB2E4FCF71990730FBFA10300A957D8E1908D1B9FA61A36A665ED63C934E07958DC73606C5AF3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.5..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):253
                                                                                                                                                                                                                                        Entropy (8bit):4.585549446641918
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                                                                                                                                                        MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                                                                                                                                                        SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                                                                                                                                                        SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                                                                                                                                                        SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53840
                                                                                                                                                                                                                                        Entropy (8bit):6.300468155319662
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:4dUSqld/oh93y+UR4ULL4L88EKNoo9sXQqt9EpYinAMxCQr:4d2P/phL4L8KGo9sgqt27Hxb
                                                                                                                                                                                                                                        MD5:355567F26142F9101526CB91F98FB03D
                                                                                                                                                                                                                                        SHA1:B7D5B6C9D78A4C7F4775F79F68B640D2E90DF1E0
                                                                                                                                                                                                                                        SHA-256:6D81FB3829261543D93FF02BF239BD25A39E41DCB645381F0A8C9D53E8694A68
                                                                                                                                                                                                                                        SHA-512:C72ADB068410D53C085BC5DEA0CADB6D2C55603566923C12547CA2D897D1F238F706BD1F7A046E97A8A21C95DB4B97EE70A32BD559437508B65887686CDBE6A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.(..........." ..0.................. ........... ..............................B.....`.................................X...O.......t...............P(..........P...T............................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B........................H........I...t............................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o ...X*..0...........r...p......%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....("...*..(#...*^.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66640
                                                                                                                                                                                                                                        Entropy (8bit):6.273913453163328
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:PO4QNCMhTIDWo+hDbEicjIeoCtU1a1ZTG/2u2Xv2vFbanu5fEpYinAMxCIiO:xQTIywi3eobgTG/2u2/wb0u5Y7HxwO
                                                                                                                                                                                                                                        MD5:90916CE0E528B775C1179E96F86CA200
                                                                                                                                                                                                                                        SHA1:6F64812C50EC9E6672CB088903F913168F35430A
                                                                                                                                                                                                                                        SHA-256:BB828056E376EF41E40F212FB6AD2990227CBCF821D4835263180C4768795249
                                                                                                                                                                                                                                        SHA-512:EB027447FB79E3E0A397EF173205596C8DFA936C9CB0F88B9A27ADFBB0F3E1B4E28F18FC907F3BFF2C4A39BB03B8131A5998E90F2BA60E4F522B7BF36D1C18BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.t..........." ..0.................. ........... .......................@......)T....`.....................................O.......................P(... ..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........_...............................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..T........(....(....,..(...+&.(...+&.(...+&(....,..(...+&.(...+&(....,..(...+&.(...+&.(...+&*.0...........(....&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&*".(...+&*".(...+&*".(...+&*.(....*.(....*..(....*j(.....%-.&~....(....o....*j(.....%-.&~....o ...(!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186448
                                                                                                                                                                                                                                        Entropy (8bit):6.958336672022744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ChOh6zHpz7YSkfd6kUYm4wlb6QAGcbLQpgjOHopZb7UsUDfAbmn1F8mkmBC:ChJ177+9jQAVph4sUDfAbm1F8MC
                                                                                                                                                                                                                                        MD5:6DDA20C58ED67382D0B5D7A17FAF6A4A
                                                                                                                                                                                                                                        SHA1:5C39B32EDAA98E70BF01DACE2C59D6EC304F8DD1
                                                                                                                                                                                                                                        SHA-256:43EFFADADAA2FD01EE7DB52BFEC67F9A1E9E2F8FC276B4EC244BB24B854315BB
                                                                                                                                                                                                                                        SHA-512:8984AFB415FC19ABB4358455DE47FD4FB3EE75F005772AF4204508F1DB47B21E93EAAC7410FB5001BC59F922A5489599FAFCBF589B6DCBD891C9686C8BF46B71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............:.... ........... ....................... .......:....`.....................................O.......$...............P(..............p............................................ ............... ..H............text...@.... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H.......0.................................................................(9...*^.(9..........%...}....*:.(9.....}....*:.(9.....}....*:.(9.....}....*....0..G.........(:...}q......}r......}s......}t......}p.....|q.....(...+..|q...(<...*..0..G.........(:...}x......}y......}z......}{......}w.....|x.....(...+..|x...(<...*..0..G.........(=...}c......}d......}e......}f......}b.....|c.....(...+..|c...(?...*..0..G.........(=...}k......}l......}m......}n......}j.....|k.....(...+..|k..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29264
                                                                                                                                                                                                                                        Entropy (8bit):6.524120604887875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9+q+2Vv/+usFlLVyKo/9ETG/DwzzRjz69M1ZVMdWs6NWsaaNyb8E9VF6IYinAM+R:9+EF/CvyKohrqnDEpYinAMxCtz
                                                                                                                                                                                                                                        MD5:8A86E5FF5D774C00992E276CFACECF80
                                                                                                                                                                                                                                        SHA1:F19FD07AE29B32579E75A0E4E738EF878835A037
                                                                                                                                                                                                                                        SHA-256:BB6667D93A1258A76DF2C007083A1E7CC000BB5BEA3195544EAC733C6259A540
                                                                                                                                                                                                                                        SHA-512:B35960BB4908F05602D375AD24316E293B05FEC90A6E366D32F3CA7CA37BDBE0158F572EAA7BB8C6C387691DAA2AE213258603E4658BA99767FDC0D9BE4E5972
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N............." ..0..>...........\... ...`....... ...............................d....`.................................{\..O....`...............J..P(..........d[..T............................................ ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............H..............@..B.................\......H........(...............W..X....Z........................................(&...*^.(&......8...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....**.-..(....*..s'...z.~....*...0..........(....,..*..(.....o(......&...*...................0...........(.......()...-..,..*.*.(....,.r...p......%...%...(*...*..(+...*.(....,.r...p......%...%...%...(*...*...(,...*.(....,!r...p......%...%...%...%...(*...*....(-...*..,&(....,..r...pr...p.(*...(....*..(/...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42576
                                                                                                                                                                                                                                        Entropy (8bit):6.408969180714612
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:uThLeDjUB16TI1CQ12cMcFgL/l5d4EpYinAMxCB:uTvB71dEcME45dB7Hxy
                                                                                                                                                                                                                                        MD5:071B50004B2ABE329A964ECD09A7E896
                                                                                                                                                                                                                                        SHA1:08D2A3056856235113C43CA3FA27D47C759F7EB6
                                                                                                                                                                                                                                        SHA-256:E8C446C1ACC2E0BC2DC9A80E286456B9A84B5DB5B1D4101C612BBFBD331EE0A9
                                                                                                                                                                                                                                        SHA-512:6608AA59D25BB19F7B34717083C8BD60CFAFD299D982445BC491C12E265C9BDFE92A23CCE45074583184C6F2A128CD2646EF05DF59FC82C7B5CF4D8F3046E19E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f............" ..0..t.............. ........... ....................................`.....................................O....................~..P(..........|...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H.......4:...L.............8.............................................(....*^.(.......A...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25168
                                                                                                                                                                                                                                        Entropy (8bit):6.670940956884048
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wYEMITBweJkneGO3WKGW9anWsVNyb8E9VF6IYinAM+oCOScXu:2TBwa7dEtxEpYinAMxC+u
                                                                                                                                                                                                                                        MD5:D950E5EC874F7C62306B93500FD36BBA
                                                                                                                                                                                                                                        SHA1:530F5F348CE9B50C396629A16F6F815F2495722F
                                                                                                                                                                                                                                        SHA-256:416CCF9CDAB49BB9DC2B4259E0D5B4434540AC82C1BC166F85D3CBD9F8942D4D
                                                                                                                                                                                                                                        SHA-512:B374D9A55A99603CD623D0876CEB8235FC235A09C8DA9BD0FEF9AFB2EA11574811E9073AFAF6DB56697AA3E75546BC61F029384404544D0299046EF239406E96
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1............" ..0..0...........O... ...`....... ....................................`..................................O..O....`...............:..P(..........xN..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................O......H.......d&...#..........hI.......M........................................(....*^.(.......-...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21584
                                                                                                                                                                                                                                        Entropy (8bit):6.717352450932083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:N6jxRm3soGTeZeszQm31WUKeWsJNyb8E9VF6IYinAM+oCen75ikD:Mj23spTeZposNEpYinAMxC7kD
                                                                                                                                                                                                                                        MD5:C2177320BC76C026D8C554D8CFEC1F2F
                                                                                                                                                                                                                                        SHA1:A208DC6AE7A5FE8FBAF5F5FDAC980B0360A667EC
                                                                                                                                                                                                                                        SHA-256:F971952E34D3BFA8263D8B5FD7F4F251B9D8C969E3EC2325AF0A3BFFD43DC946
                                                                                                                                                                                                                                        SHA-512:39A7258DF35A89A6A9B68220CA0AD159839739F8EC6DF987EE7C53CEBC2B55C44A3FD81718F620B45B14EB6AF2075A1AD5DDFA895CF34B71A0947B1BEF7CE389
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............" ..0.."..........NA... ...`....... ............................... ....`..................................@..O....`...............,..P(...........?..T............................................ ............... ..H............text...T!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................/A......H.......x#......................T?........................................(....*^.(.......$...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.s....o....&.*V.s....%.o....o....&.*"..(...+*v.(.....~....}.....~....}....*..(......%-.&~....}......{....(....}....*2.(....(....*..(....o....r...p.{....r...p(....*..0..........(....s......o.....8.....o .......(!...t&.....o .

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28240
                                                                                                                                                                                                                                        Entropy (8bit):6.602224449204335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pzp434gr92+liFe/5XjtCZ0UaFoSc43IXABPpBzWq66WstNyb8E9VF6IYinAM+ox:5xk1/9jtGhScRwPpByoJEpYinAMxC8LX
                                                                                                                                                                                                                                        MD5:A9BB401E3DE7FB6FC038DC6BDC27591B
                                                                                                                                                                                                                                        SHA1:CB1CC3D6E4A603C1B25350D5E5581193A80D3D9C
                                                                                                                                                                                                                                        SHA-256:1B15C473C30E52A08ABDA9FFF9099E5A51EB8DB5733A7EFA29FCCEA2C17BDB6A
                                                                                                                                                                                                                                        SHA-512:EB5C0910134420FB6717039FD95CC819C24FA0F3288A83DD43363CFD902D3FD39686B3E0D74D29B0604DD771D7215DFF2EE39713D49A760E2113B86CF98BBAAC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."..........." ..0..<...........[... ...`....... ....................................`..................................[..O....`...............F..P(..........tZ..T............................................ ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................[......H........(...,...........U..8....Y........................................(....*^.(.......3...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27728
                                                                                                                                                                                                                                        Entropy (8bit):6.567134242779113
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:SXLAulT7JkcAoWovkT7jF6zOFz3Ge1l68mWka2WsCNyb8E9VF6IYinAM+oCltvGw:mLAux7yUcT7jF6aYhSkCEpYinAMxCv
                                                                                                                                                                                                                                        MD5:97C4011B8FC681C68FC0D9A0AFE05134
                                                                                                                                                                                                                                        SHA1:E3C5A7264874ADAF421303D679637C35DC3A1EBB
                                                                                                                                                                                                                                        SHA-256:B9FA3DFD672088A280B1B6AFB38E9539B195B85D8351F6753D064D10F23A8617
                                                                                                                                                                                                                                        SHA-512:70CA32792A0FB2325BC511FA1A298D1D03AA7D8E72B6F1F05443C0FE2D8B01521A745F4F1C8D7CE1FC27E6AEE112E8C499B2FF79C885BADC774EDD942C732906
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..:...........X... ...`....... ....................................`.................................SX..O....`..l............D..P(..........LW..T............................................ ............... ..H............text....8... ...:.................. ..`.rsrc...l....`.......<..............@..@.reloc...............B..............@..B.................X......H........(...)...........Q.......V........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*..............!....0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26192
                                                                                                                                                                                                                                        Entropy (8bit):6.549189808431148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pMvnbB39p5YGTv9uuM1iFSF3yE1LlW9KCWs7Nyb8E9VF6IYinAM+oCUYO39:pKnbPplTv9uuLuVwXEpYinAMxCq39
                                                                                                                                                                                                                                        MD5:7D44B25B42F8273E1B95DB0D73671E84
                                                                                                                                                                                                                                        SHA1:265714D11A304A27443F9DBAFB33A2987C5AF845
                                                                                                                                                                                                                                        SHA-256:823154871F155DDCCB8DBE9DCC3078263A6C296D32524564E90B106930992987
                                                                                                                                                                                                                                        SHA-512:563E7DB622C13C19BA81E5C123C812A8FBEB4D50C6BB2A1686C728180A26CC246D369B1BB5B8536D28A2105CA9D8DA7C8108AE3EBE302CC180EF29BFA5C8B3A2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.<..........." ..0..4..........bR... ...`....... ..............................~.....`..................................R..O....`...............>..P(...........P..T............................................ ............... ..H............text...h2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................AR......H........&..$$..........(J..P...xP........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41040
                                                                                                                                                                                                                                        Entropy (8bit):6.41098819814607
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:e054t3ibki5TCk3jqEr0WBum6JEpYinAMxCmd:ePtnUj/Lkmp7HxZd
                                                                                                                                                                                                                                        MD5:CA14EEE1F7605296B50D9471B3846A1A
                                                                                                                                                                                                                                        SHA1:E26129A1044FA6A4A85A8890D3569C3900E338D2
                                                                                                                                                                                                                                        SHA-256:F7CAB383114EDE19662B14EFADEAD8E76FE59954DE5464BA64E270587D738206
                                                                                                                                                                                                                                        SHA-512:8EF77602DD6D4F86E3607A287F8E07567B216D73FA442FD7B9165B1087D2712817FAB690107EC23929EB519560CFAC897FE6C794B941A6E69CEE6D3CF661DE63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...mq..........." ..0..n............... ........... ...............................B....`.................................a...O....................x..P(..........d...T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H.......p8...M...........................................................(#...*^.(#......A...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*:.(#.....}....**.-..(....*..s$...z.~....*...0..........(....,..*..(.....o%......&...*...................0...........(.......(&...-..,..*.*.(....,.r...p......%...%...('...*..((...*.(....,.r...p......%...%...%...('...*...()...*.(....,!r...p......%...%...%...%...('...*....(*...*..,&(....,..r...pr...p.('...(+...*..(,...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45136
                                                                                                                                                                                                                                        Entropy (8bit):6.259777287029036
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Kq+RszBJV7CkN9YxrIvw2DLBjYAQP0+lyJ9PPAEpYinAMxCsi+x:Kq+SSkNNjdQc+cJNh7HxJiy
                                                                                                                                                                                                                                        MD5:0E56D17A0B873639366047CE26A5E063
                                                                                                                                                                                                                                        SHA1:491A1C758D27BBA08ACF9CFC87468988545835F0
                                                                                                                                                                                                                                        SHA-256:559CDE153D2C725745796BE20B7FE5C197DBAFBFBC3A2D4C44CC025DD75AF8ED
                                                                                                                                                                                                                                        SHA-512:A026E4CA433846D0DC3FB53826770DB45C8D765B1705D6C0DF45991440809AF2134F8608E2E0DCABBBD539049E72DA701F2951337B6CFB3ADDE43A72A739A578
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r=..........." ..0..|............... ........... ....................................`....................................O.......................P(..............T............................................ ............... ..H............text....{... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......<=...U..........P....... .........................................(!...*^.(!......E...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):85072
                                                                                                                                                                                                                                        Entropy (8bit):6.2673588925221
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:nNNgvCsvGPrpqSMo4Z9M4IIWSYe2Kbj5u6fjQ+7PMMcmnJz7Hxfp:nMCsvGPPed5ZfjQ+rBvJzFp
                                                                                                                                                                                                                                        MD5:68E188489CD2966EF4B9E8864B5236ED
                                                                                                                                                                                                                                        SHA1:23A5FEA5C4787804CF140741AA35F7CC55229977
                                                                                                                                                                                                                                        SHA-256:97BA41B72AE55EA3FC47A6D48769638F608F8AD498A0A81E4780C42C45F34BC5
                                                                                                                                                                                                                                        SHA-512:C14EACFA5ACCAFE998FD55868A91FAFDB3A23031A6DBECCCD76ADAE1E4F43C414C6C3AEBA4D4F4FEF04E0FCA8CB6B7F08017937E353522775924F1992377235A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.)..........." ..0.............28... ...@....... ....................................`..................................7..O....@...............$..P(...`.......6..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H.......lj..............$%..0...T6........................................(&...*^.(&......s...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23632
                                                                                                                                                                                                                                        Entropy (8bit):6.618432341469682
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OVAko1Z0S/oj6ETt9EQMVSz3PMA2oWs6hWso4Nyb8E9VF6IYinAM+oCqJ2qui:O3m0SM3Tt90Pl7fEpYinAMxCa3x
                                                                                                                                                                                                                                        MD5:AC95850E08238CF3A6FFC51D47BCC1DB
                                                                                                                                                                                                                                        SHA1:06CC0E13887DC0030A0DFFE067E01BE77D75CF4B
                                                                                                                                                                                                                                        SHA-256:B788F714E91102C2D34FF5E20A07F7408E9EF74343871942E5889612EBBE70A5
                                                                                                                                                                                                                                        SHA-512:58B35DA53926365A3502BCDE514E34C3159EC5DF7672527C884FF5057FF1089F0124EE79F66EA79E6004DF4CD14805C4495C43AC0C38AA07851303F3FAFADF15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............" ..0..(...........G... ...`....... ....................................`..................................G..O....`...............4..P(...........F..T............................................ ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............2..............@..B.................G......H........$...............B..@....F........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45136
                                                                                                                                                                                                                                        Entropy (8bit):6.430057016218873
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:FxddbVKFC/2DfTMFeuzpdUTVoIEu3GzN/EpYinAMxCMe:FNxxAYFeMpdURZEu3S+7HxZe
                                                                                                                                                                                                                                        MD5:123D79B76609A0E1B4E7977FF4283822
                                                                                                                                                                                                                                        SHA1:E4F25CDDCF76FFB2569D22D2090D32B33A98512B
                                                                                                                                                                                                                                        SHA-256:871B2C2230BF4079699D34AFD6A262B7FF362431D7B2A0F4C3539A6F7D1C267C
                                                                                                                                                                                                                                        SHA-512:C4EF8889F3DED86FBDE77EFB0A017B14F6888984F0F9A7B12FCC6CD782816B78878B0F853EF2BCF0A18F6C7966D8E495B62CF11B8EBDDBA94440FFA2F2A51AF6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s..........." ..0..~..........&.... ........... ..............................k.....`....................................O.......p...............P(.............T............................................ ............... ..H............text...,|... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........;..(Y..................D.........................................("...*^.("......V...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z.~....*...0..........(....,..*..(.....o$......&...*.............. ....0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):47184
                                                                                                                                                                                                                                        Entropy (8bit):6.373451878905772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ekfEnkM0vRbJ05axPAONhO+JZIkp5ygv/MFKEpYinAMxCz:LEkMoRxtzIk3ygv/Mp7Hxw
                                                                                                                                                                                                                                        MD5:83CBC69E9A528F906F2EB5B9528FA378
                                                                                                                                                                                                                                        SHA1:0638CA4EB918BD9A7D68C5731D831B57E5D48019
                                                                                                                                                                                                                                        SHA-256:5F7223586AE47F001319524B3A9BC4B635A0D44870733D46FF1BFF780485C4C2
                                                                                                                                                                                                                                        SHA-512:DD817FBDA24F1DC42C83C44D8A301123D5751895F5C542FDF3CF82CA1459B7728D897C3B3C5F1E1915282B7B4968F93ECB6D0DB4ECF80E79093C4F2B47B9420B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....*..........." ..0.................. ........... ...............................y....`.................................k...O.......H...............P(..........d...T............................................ ............... ..H............text....... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........D...X..............H............................................($...*^.($......@...%...}....*:.($.....}....*:.($.....}....*:.($.....}....*:.($.....}....**.-..(....*..s%...z.~....*...0..........(....,..*..(.....o&......&...*...................0...........(.......('...-..,..*.*.(....,.r...p......%...%...((...*..()...*.(....,.r...p......%...%...%...((...*...(*...*.(....,!r...p......%...%...%...%...((...*....(+...*..,&(....,..r...pr...p.((...(,...*..(-...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33872
                                                                                                                                                                                                                                        Entropy (8bit):6.465515280994496
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Tup+kjcS4GAF7ItpTYbg8lAZnsboXAEpYinAMxCnpD:Ti+YoF7Itmbg82sboZ7HxS
                                                                                                                                                                                                                                        MD5:B4B6928B6ABD9BA62549019FC1B6FF19
                                                                                                                                                                                                                                        SHA1:AFD5DEB02D315D70867335839BA2208DCDD94D88
                                                                                                                                                                                                                                        SHA-256:03BCCF47620E2795ACDF4519C3E21E2C9009908A7B4CF39312DF8560CD3B4815
                                                                                                                                                                                                                                        SHA-512:219472590F21237FBBC3F6F31D4C1320E356C5C13DA41AB0B538A2E9F0788B59E4E847E52177719F90B90BCDF496E21CA5A894E019C5BFF923AEFD1774E07ADF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kq..........." ..0..R...........p... ........... ..............................r.....`.................................;p..O.......8............\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...8............T..............@..@.reloc...............Z..............@..B................op......H.......</..,<..........hk..H....n........................................(....*^.(.......I...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66640
                                                                                                                                                                                                                                        Entropy (8bit):6.302989427949227
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:syK1UG8tMAv0by0P/vGCnbr1hmiBPIIk+n7Hxu:sykl8tla/nbr1kiBx3nI
                                                                                                                                                                                                                                        MD5:3FCB549ECB9D84B10FEF1727AB043DF0
                                                                                                                                                                                                                                        SHA1:BDA06DB4121EC85DDF7F2259D92CFB90C0C18734
                                                                                                                                                                                                                                        SHA-256:AA96A108023C9FE0A430AAE727F8C8D296B72D781A49E14C73BF5FF33EC792D0
                                                                                                                                                                                                                                        SHA-512:5BBC0A63ACC4D4E3264234D472DD6EE5ABCFB762240B2B868DC344530AA520979C06B02A1BAAF43CD3B293EF3D1F8FDE7341E0413A4A9436473DBE3BF3E4A462
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*t............" ..0.................. ........... .......................@......3.....`.................................i...O.......................P(... ......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........R..l...........X.................................................(!...*^.(!......p...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69712
                                                                                                                                                                                                                                        Entropy (8bit):6.226077670195515
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:VsDE/e+9cxoZhNyjcMiJSAopUx+ZA7Hx0:GDE2HozNyjcf4o2Am
                                                                                                                                                                                                                                        MD5:3CE2B431D7D349BABEE6937AD0851309
                                                                                                                                                                                                                                        SHA1:55FF7B9337EAE6B278756C8FCB8C021E04A1AEFD
                                                                                                                                                                                                                                        SHA-256:10E29D6B33B40B7D82298E40A19AC06362B1A51BA5C94C3A7359F5462EB22697
                                                                                                                                                                                                                                        SHA-512:07857ACE3128BFB698EF44524451F6E07596EF48F39F8806428473CABC0C71C2348601519BCC6A58237C919F0E1212021525544C8F8A15CCAAC4912ECEFCDF70
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p............" ..0.................. ........... .......................@............`.................................S...O....... ...............P(... ......`...T............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........T..............`.................................................(....*..(....*^.(.......\...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r...p......%...%...( ...*...(&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64080
                                                                                                                                                                                                                                        Entropy (8bit):6.289710606184699
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:M5PhAi33m3UOZsd4IZnuQDLtfjfC67Hxx:gPhAi33mhZiHlvtbfC6P
                                                                                                                                                                                                                                        MD5:31CD265714D3C3120210364A14DD572D
                                                                                                                                                                                                                                        SHA1:C5F8727A6E42429D2CF37B59B8A523844964C623
                                                                                                                                                                                                                                        SHA-256:8FD8996D02C0A89E548069CF924B4E94250C5B4D11261E6D327657F9717E33B6
                                                                                                                                                                                                                                        SHA-512:9B238628C89D4F72638DDDEF2FBB1155DA7917A56BBF749B96855822802ABAA4B76FE003721E17560E802A1B3478A49A3DE7C02F6F45B8DA54028203DB97D511
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S............." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......PO..............X.................................................()...*^.()......N...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z.~....*...0..........(....,..*..(.....o+......&...*..............!....0...........(.......(,...-..,..*.*.(....,.r...p......%...%...(-...*..(....*.(....,.r...p......%...%...%...(-...*...(/...*.(....,!r...p......%...%...%...%...(-...*....(0...*..,&(....,..r...pr...p.(-...(1...*..(2...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28240
                                                                                                                                                                                                                                        Entropy (8bit):6.542681843112789
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:31YBj07ZyQvkBd9aocTPMuiEjYpR6K698kwgcWWxseU7RWsjNyb8E9VF6IYinAMh:l4jUv6iT9jsi8HyeU7L/EpYinAMxClNQ
                                                                                                                                                                                                                                        MD5:5D53FBFB6C56DAB2AFC15E814956483B
                                                                                                                                                                                                                                        SHA1:927D7F1B9D0493FAE2C900B73734E5A323ADDED6
                                                                                                                                                                                                                                        SHA-256:23EE1A91AED2309099858E2E11EC499AD3AD4532E70E0B095DF2CFA118BAA85C
                                                                                                                                                                                                                                        SHA-512:0B775138E8653240D7DD888F6CBE4EFAA9BD7762887D3C9D64F4FC180F41703D8286DEE63B2D09314E8CB98B319C5FB2C9DD1739CE3F207AFA1AD9C3331F29F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oe..........." ..0..<...........Z... ...`....... ....................................`.................................1Z..O....`..L............F..P(..........$Y..T............................................ ............... ..H............text....:... ...<.................. ..`.rsrc...L....`.......>..............@..@.reloc...............D..............@..B................eZ......H........&..d...........\U..H....X........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59472
                                                                                                                                                                                                                                        Entropy (8bit):6.334054400696551
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:t7WAluzJ+Je2PS7kJFT+OUjz+Tf26auuPF1/krd6zkwQRIOIzb7EFEpYinAMxC6z:xJ4V26g1YuuP/2IOe/7Hxp
                                                                                                                                                                                                                                        MD5:5C0ECE8A6364AD65C5D01B762D721F40
                                                                                                                                                                                                                                        SHA1:2CEF9284C94A608269D581A4588E81E485378F3E
                                                                                                                                                                                                                                        SHA-256:A5B60A7BAAA84EA94FEF8704737B6845823A2C1DA0B9F95240CFC61C341FA2FB
                                                                                                                                                                                                                                        SHA-512:E327BF974B9E909C147E67643A7A972F11C2BC3466B622A2286C3E9C0AF003E333A392090314D850DFFB60CE35B05441C8373D9EADEAB4EFFADC9032F2B98566
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0.............:.... ........... ....................... ......#X....`.....................................O.......L...............P(..............T............................................ ............... ..H............text...@.... ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........H..t...........l.......d.........................................()...*^.()......a...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z..0..l.........~..........(+...*(,........,.r...p(-.......+.r...p(-.....,..ry..p(....-..r}..p.o/...+..+....(0...........*.0..%.........~.......3.(....-..+..%............*F................*..0..<.......r...p..(1...,..*r...p(-.....,..ry..p(....-..r}..p.o/...*.*.*.~....*..0..........(....,..*..(....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21072
                                                                                                                                                                                                                                        Entropy (8bit):6.659500044238884
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:UzhlvlfTcbY3SCkWJOVMWs4Nyb8E9VF6IYinAM+oC2aJ8f09:KrfTcbY+uwEpYinAMxCTY2
                                                                                                                                                                                                                                        MD5:DE75610B9B79DB4EE9FF93D756E16D4D
                                                                                                                                                                                                                                        SHA1:2B3BBC1AF7191893FC42A450280ECAD9A5C68FE4
                                                                                                                                                                                                                                        SHA-256:4C036AF950DA497F34F9E325F84A5502DE8AB373559FEE971DACA0AA6C791248
                                                                                                                                                                                                                                        SHA-512:B9CBE72BCA53564FF77C8B02598190966290DF010902114CB7FF91E6831F87B8833984AA2F2E42F9870A28919A32C9C4B4A7A14901E36272F4EA1029C9C06A65
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.}..........." ..0..............=... ...@....... ..............................[U....`.................................-=..O....@..(............*..P(...`......0<..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@....... ..............@..@.reloc.......`.......(..............@..B................a=......H.......H"..h....................;........................................(....*^.(.......)...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*...0............(....-.*..r...p(.........o .....(!...,.*....("......(...+..r...p($

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26192
                                                                                                                                                                                                                                        Entropy (8bit):6.6410774484512896
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:T3WWQsE/8iqjnqHTnBdOHFgYVwOU3NW2qFWs/GNyb8E9VF6IYinAM+oCUo0eD05:T3hQsE/8irTnfYFr//OEpYinAMxC1ny
                                                                                                                                                                                                                                        MD5:F07B5825DE2EFB3133BBF61FA2A4CB76
                                                                                                                                                                                                                                        SHA1:B6CC2BE8845C0774E932B2DB1FBCAF788BFBEA9C
                                                                                                                                                                                                                                        SHA-256:A4EEE595F17C9F26EB0DC6694580DD5873938DEF495C524EFFB0D82BC3F4262B
                                                                                                                                                                                                                                        SHA-512:F24E824FE41280C9BC170D9DD1016EFC236650E7762EB115DE02B9593BDBD1649FDE1FCF9B7D387C533AA6BF9651B5AF701ABDD10D2D4B1BB072EBAB1B594DF4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Su..........." ..0..4...........S... ...`....... ...................................`..................................S..O....`..`............>..P(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc...`....`.......6..............@..@.reloc...............<..............@..B.................S......H........'..T*.................. R........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*v.r...p(.....o....(...+(.....*..r...p(.....r...p(.....o.....s'...(...+(.....*..r#..p(.....(....&.o.....(...+&.*..("...*.~....*.*.(....*.s.........*.~....*..("...*.*.s.........*...0..x........("....r7..p(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35408
                                                                                                                                                                                                                                        Entropy (8bit):6.577511960397023
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6oi0m9/A58Ph+mJ5fvIK0ixTryfCWo/zKeGmquanccOB30RtWW3aUWspNyb8E9V3:KDhbJ5nR02TQCWoJ92tEpYinAMxCtm
                                                                                                                                                                                                                                        MD5:6628C561065DF3B10639846B7F7DC3C3
                                                                                                                                                                                                                                        SHA1:ACBE77E78C99E86866870874A2311DCF4902BAA5
                                                                                                                                                                                                                                        SHA-256:9996C340E4E83C44110028CB28F20E9B24EB126742409FA718F90EA2A16379B2
                                                                                                                                                                                                                                        SHA-512:DB9BC520D226A1E702DAFB2F2F6E0064984854844AE214F52BAB27E9A8B39F9A5AAFF9BE87BE79FA4C5E4B9D134098AE0B72C424D09E057D1B02A75E79C9F810
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0..X..........nw... ........... ....................................`..................................w..O....................b..P(...........v..T............................................ ............... ..H............text...tW... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B................Mw......H.......X0..8E...................u........................................("...*^.("......J...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z:.(".....}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.($.....}....*....0..+........{....oG......+......o%....o&.....X....i2.*:.($.....}....*2.{....oB...*..{....*..0..M........r...p(.....o'...~"...(...+.o'...(...+(*....o'...(...+(*....o'...(...+(*....*..($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):48208
                                                                                                                                                                                                                                        Entropy (8bit):6.412254540457386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:q7d427HfKy1DQ+SKKKKzqPo6Zkn2qZKqLzZdd0UFxlEpYinAMxCp7VCb:q7d42LfKy3SKKKKr8keqBdd0UFE7Hx0a
                                                                                                                                                                                                                                        MD5:02D75B740B732B9D45BE1C9DEEE82D52
                                                                                                                                                                                                                                        SHA1:145DE3697B7BCCF7F39EF5C1B813F9A213664017
                                                                                                                                                                                                                                        SHA-256:D56BEB31BC6BCF54AE02721D3CE2B6F42D7783483B67DB2B11E5C56E8A29EC38
                                                                                                                                                                                                                                        SHA-512:0E6041D18D62FFBBE4B9906931322F5B3856C462A330922C6264CE99E983811CF139AA52A9C10618AE8035B85B929CBAA3F0DF6FF12D29B9E269E9945C1EB232
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H..........." ..0.............Z.... ........... ....................................`.....................................O.......(...............P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................9.......H.......\?...d...........................................................('...*^.('......W...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24144
                                                                                                                                                                                                                                        Entropy (8bit):6.63064410442664
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:by1x30dJaeTP8pBT7xe3SUDtzWzK0WswNyb8E9VF6IYinAM+oC61mx4iw:bq/eTeABdWIEpYinAMxCa24x
                                                                                                                                                                                                                                        MD5:D73F1C9FDCAA14AA98AD1D62EB4F61E8
                                                                                                                                                                                                                                        SHA1:25180ED081DBAB955DB2E321A42820313FCAC737
                                                                                                                                                                                                                                        SHA-256:5AB6AF65EAAA7BD38B13C2E0A184D241530FD113B6DB218AD6D138A1DCA327E2
                                                                                                                                                                                                                                        SHA-512:35E80F9F724BE46786ABDCC77BA6C4E1065A41F4213ED1B8D25B37C6CF61B7706A5F9AA87A1C5A74C96BC3D2454968541C424D6D1D4B15A64867191A190CFFB4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D3..........." ..0..,..........FK... ...`....... ..............................I(....`..................................J..O....`...............6..P(...........I..T............................................ ............... ..H............text...L+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................%K......H.......0$.. %..................PI........................................(....*^.(.......*...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.(......}....*..{....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..r...p(.....o.....o......(...+&.*.0..P.......s ......}!.....}"....r...p(.....{!...r...p(........#...s$...o...+&.o....(...+&.*

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61520
                                                                                                                                                                                                                                        Entropy (8bit):6.349315131405323
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:1g+uGuV+1mb5JtoNIHQs1YyH67beAn9eLfLaV7CvS4vEpYinAMxCkMq:1g+uGuV+1mbaqvy9OfLKMS4I7Hx8q
                                                                                                                                                                                                                                        MD5:64A1C30750E208D114638514140D2FD8
                                                                                                                                                                                                                                        SHA1:98F1BFAE55DE97059C7BC6A53FC6F8254C6A9EB7
                                                                                                                                                                                                                                        SHA-256:E329AF9E6DA9753A31B9908BD6F4655C646C20C088589AF9477515D37F73190B
                                                                                                                                                                                                                                        SHA-512:450FEF2F9C1712CAF22502C9906582EC6DB6D8F6675CFDC78D96BAFF5154675CF52B4A278306FCAD4A231C7E266B8F7690A6FBE23A8DD9455AE0B8FCEDC5505B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%..........." ..0.................. ........... ....................... ............`.....................................O.......H...............P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........F.....................0.........................................('...*^.('......G...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42576
                                                                                                                                                                                                                                        Entropy (8bit):6.373492302570736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:TKsIwjxNp8hpwVeEfHuX1QUIh3kOP7oIyWb3jec/uiCR9Crw/EpYinAMxC2xD:bd8hMfHuXbIkOP7ym3jZ/uiCRgrd7HxF
                                                                                                                                                                                                                                        MD5:25CEB30BC69DC05B69F45F672AC1C1A4
                                                                                                                                                                                                                                        SHA1:63A1CC9B52CD8995EA1C17794D2F75E6F5E0B6E9
                                                                                                                                                                                                                                        SHA-256:EA390CC64028A77BA72653504499E9C0B131770DABD23D9E4AC099677B35315F
                                                                                                                                                                                                                                        SHA-512:0D6780C9B883D555BBDC25E08FAE14EBA3583484B1BBD366188CD9350EECD81B4A3433054872F81EC6B361EA794BC2A217F1A92D4ADE9A83182F7F2B4B9DEF9A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.:..........." ..0..r............... ........... ....................................`................................./...O.......l............~..P(..........8...T............................................ ............... ..H............text....q... ...r.................. ..`.rsrc...l............t..............@..@.reloc...............|..............@..B................c.......H........:...O............................................................(-...*^.(-......G...%...}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0...*....(3...*..,&(....,..r...pr...p.(0...(4...*..(5...*.*.(....,.r...p......%...%...(0..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):345168
                                                                                                                                                                                                                                        Entropy (8bit):6.142154867122924
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1pc1zjTFIfqAnI7FZVllnuJxKrSj8r2yQQLeBLPHGUdlWOAlMoBJR1TaKwQz8weI:MpTCqAn+fnw5h9hdls+IZTWcd
                                                                                                                                                                                                                                        MD5:E20A8D1854150A56856901090B816B6C
                                                                                                                                                                                                                                        SHA1:1F2C25FD9435D137ECEB81B2A74FEE6CBCEAD01A
                                                                                                                                                                                                                                        SHA-256:6D3F41537D09414352E42874430E3D44A8508F6FE843E52F124DBC279E76ECDD
                                                                                                                                                                                                                                        SHA-512:747A5B2C315E26558F99436B463DD766AD0E99F527A7836055CF5898FD7BE649ED8AC5613148D80F39AF068C2F556463CAE9A242939948F110A8A517E705B3A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............." ..0..............0... ...@....... ....................................`.................................S0..O....@..................P(...`......D/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H...........xZ..........|...H.............................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710736
                                                                                                                                                                                                                                        Entropy (8bit):5.954282787995899
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:/FIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMQ:9zMTMNNd+g5Wk78GBBjgrIQtDX
                                                                                                                                                                                                                                        MD5:35FF6C65698485C13B0796ACA1E1E860
                                                                                                                                                                                                                                        SHA1:64C4DBCBFB0C81F34E3E8C5552A9B6626C740F50
                                                                                                                                                                                                                                        SHA-256:683039C3676D8437E99C0A98FB8D4C4D2D47258DAECD897F1532640B2FA82407
                                                                                                                                                                                                                                        SHA-512:E21CFF5489A6D141CE72D4639F5BCB23F18155EBD64347BD179146D53D4E99285D39E3A1B9483C697D73925B76E56E2AEAE5F63D3BB5C8E9C5B65BCC826F78BB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.............>.... ........... ....................... ............`.....................................O.......................P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............9............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*.(.........*....}.....(......{.....X.....}....*....0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{|..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285776
                                                                                                                                                                                                                                        Entropy (8bit):6.198879246365342
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:QMiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcyZ:QMZpj06vUsMjbQ77D+B
                                                                                                                                                                                                                                        MD5:40F70FD9AA352F6954C048396533A13F
                                                                                                                                                                                                                                        SHA1:B5CACB14C795B8F03CA62A2FABA9032FAA5C5A62
                                                                                                                                                                                                                                        SHA-256:135C5B3FC4A3307FB373D466D8E0993F5899AD725AA3A04433D4CB22E205A1D0
                                                                                                                                                                                                                                        SHA-512:6AD391AD6603C4CA8A168B31968FD9DCC467D23E38A93FD616F5DF38F00A0B4152E6AA9166C37D63D96C32FEAE01DC15709F7E7F2BE37CEE3CA18F063B69EE02
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................T....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38992
                                                                                                                                                                                                                                        Entropy (8bit):6.2961633461406645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:vdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIlc:vxuJRRsnHnyhQupytM9z7O3zfXYvj8rb
                                                                                                                                                                                                                                        MD5:318DB17FA7B98E18B6C3A6A139341D51
                                                                                                                                                                                                                                        SHA1:CF98D3D9E98D198D8E30D221EF9ADA5441A88B5E
                                                                                                                                                                                                                                        SHA-256:4D3114B2CF333C56CFAB3CD9CA3C0C16571D337B7E5EBFE72BCDA5C6BCE49E6A
                                                                                                                                                                                                                                        SHA-512:8CD7EE526136FDD48AA900193F2A3A9B0B371569D5ECD21ADF1E57A88DF275579C2C42FEC9B48549C505A605FED016696377FB5B80261EBF36706F818F9C0232
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27728
                                                                                                                                                                                                                                        Entropy (8bit):6.552984475987511
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:iSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYBNyb8E9VF6IYinAM+oCKtKL:iSCZUl2O1zCnXyzD6EpYinAMxCk/kp
                                                                                                                                                                                                                                        MD5:DB2C92A173A2A0373A1F8190E95FA17F
                                                                                                                                                                                                                                        SHA1:FE61CB7B6B8E90E438F17A58775F3A70235744CA
                                                                                                                                                                                                                                        SHA-256:DD3547F40D823D6B0462C9C11CFAEDF306E01782BF28AEA9B0C31DF6812D7E81
                                                                                                                                                                                                                                        SHA-512:66BE8021026769C4509577F77650DD4D20C50EBDC6111342AB91A0C590118E5288B5524E6AF104B1505602231B3B14830E318563FA83F1F1D13C9F06CDEAE86D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ..............................e&....`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41552
                                                                                                                                                                                                                                        Entropy (8bit):6.321380010408937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:MUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BWEpYinAMxCD:jLrgfPw3mXREaX7Hxc
                                                                                                                                                                                                                                        MD5:680AFEE0D0AE8CBE3C14E8B2E98331A0
                                                                                                                                                                                                                                        SHA1:A4536CA35F55179DCFAF8507D8BED284F8A87285
                                                                                                                                                                                                                                        SHA-256:9BECD7633640CCA28369CE850BE2F2EB7F3D41B32289D7E4D99FD53E014844F5
                                                                                                                                                                                                                                        SHA-512:586B4D5AB7274E0BBD26CA7B6A08A39D83CCA6B134523342094F0159E42873AF987908DAF52B7947402288E7C399C78EB63658C3591C708A24B7270936B16F5C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ..............................5|....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138320
                                                                                                                                                                                                                                        Entropy (8bit):6.160416546932122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:cobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDtYQn:JbKKz1UeZk/Phv8lDuPaf
                                                                                                                                                                                                                                        MD5:347415351ACC3FA1BB4B12FE70D8DB3E
                                                                                                                                                                                                                                        SHA1:CD659D48CA294880D2A950521869E3629B680873
                                                                                                                                                                                                                                        SHA-256:72A60990CB728C500FEDB1A6BC89D8EDF4661C89FBE3B899A7D8B2674C59CA1C
                                                                                                                                                                                                                                        SHA-512:CB8EE748F5604EB81299B48B8C0225B1C9FB557472112CB576304E6A52BDF4343BF28F1169E4B60C60357D26910004012D136997C165E226E1B5FECDC397F878
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`......j.....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150096
                                                                                                                                                                                                                                        Entropy (8bit):6.238069789487319
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:c0B07tjJYVNSCn+tn3nUMI000000I+49U2BL1krvm:v07iSqSnkMDjyC
                                                                                                                                                                                                                                        MD5:06740FA9E73A184DCEF81A0F9964BC0B
                                                                                                                                                                                                                                        SHA1:E0D18EFACEE6AA0431EFBA2ABD4F0BB34E47BB41
                                                                                                                                                                                                                                        SHA-256:91A4499366A332F2EA2EAAF8CCB1B67582553E8ADF067DE6D3FDC4D8B4389071
                                                                                                                                                                                                                                        SHA-512:B021F4ACDF88EB321981278F8F38D385D200227C975C3A289B2D1BB2D948C5336B78196119B07CCE8C6312926F9F1DE07CB5D0A8D4ADF979C664C8B8A25CB805
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#9..........."!..0..............4... ........@.. ...................................`..................................4..W....@..............."..P(...`.......3..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................4......H...........lV............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*..0..&.........+....(....G...Z.(......X....(....2.*...0..L.........(..........(.....Z.(......(.....s....~....%-.&~..........s....%.....(...+*...0Y..5...0Y*..aY.5...aY..X* ....*V..0Y..6...aY......*.*.s.........*..(....*....0..&...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52816
                                                                                                                                                                                                                                        Entropy (8bit):6.18197692498772
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:NtgEqel7clEfRWOuDXaVIWb0TadZjirgFDrGfmAXOaYbMlfEpYinAMxCr:NiprEfsOuD0hhji6DrLbAY7Hxk
                                                                                                                                                                                                                                        MD5:161E234AD2B220206DB6341B670DBD06
                                                                                                                                                                                                                                        SHA1:B5EAA6BE5BE77227139F2298312A406EC959ADBD
                                                                                                                                                                                                                                        SHA-256:DF6ABCE21AEDCF0106303877C88F0039C52BB5C5B98B537D9C079874965E9875
                                                                                                                                                                                                                                        SHA-512:4999FC5AE69EF904460794C33D9E5642ED2E47A4104C6DC3CF958DC524159F59D3335547BCA5EFB182D87773124BC6E35C524B2488CE0EEBA351BE5FAF3DC5C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L..........." ..0.............Z.... ........... ...............................s....`.....................................O.......................P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................;.......H.......<5..,m..........h...0.............................................()...*:.().....}....*.~....*...0..........(....,..*..(.....o*......&...*...................0...........(.......(+...-..,..*.*.(....,.r...p......%...%...(,...*..(-...*.(....,.r...p......%...%...%...(,...*...(....*.(....,!r...p......%...%...%...%...(,...*....(/...*..,&(....,..r...pr...p.(,...(0...*..(1...*.*.(....,.r...p......%...%...(,...*...(2...*.(....,.r...p......%...%...%...(,...*....(3...*.(....,"r.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):34896
                                                                                                                                                                                                                                        Entropy (8bit):6.290935546349103
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:K3wGplLcGsTK/lWNVz7MW+N92D1NlteVXEpYinAMxCwU:K3wMZ1lWL7MW+N0peVQ7HxRU
                                                                                                                                                                                                                                        MD5:7D9DF905042D334B4A966BD1AA8FB08B
                                                                                                                                                                                                                                        SHA1:3ECC8AD781DB2F3A01C09993BE7D31A878AF4105
                                                                                                                                                                                                                                        SHA-256:7C6F7FF7350CDAD1F7025CB1B0FFADBCA99F801C7D0B9C2F11F5A9AE2F2E53A7
                                                                                                                                                                                                                                        SHA-512:BF17D7A918469726B0325AE2BB35C00D1D5BF3BDA73FDF0397A432F271630A4CCEC2B4A30A677697F1E34AAE81D8FB37A076581C8B78C35B28141AE5ABFEE53D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............" ..0..T..........6r... ........... ..............................V.....`..................................q..O....... ............`..P(...........p..T............................................ ............... ..H............text...<R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............^..............@..B.................r......H........(..h6..........$_..8...\p........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71248
                                                                                                                                                                                                                                        Entropy (8bit):6.13173802618335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:pQuedlunqpC9yYxC9P7tt08eeykGlsESo3+7Hxr:g3KICHxC9ZJexRsG3+x
                                                                                                                                                                                                                                        MD5:F85B82A5B08CCAA5359DF86C5A7EAF68
                                                                                                                                                                                                                                        SHA1:6CA8520D247CF38F1D885B987B77892CC94397F6
                                                                                                                                                                                                                                        SHA-256:EF4402FA640506310B85D639DFB2848DBA25DC9AFA331088F8EFB7F0877EE8C8
                                                                                                                                                                                                                                        SHA-512:ADAD4A9E3BC20726986FBA733EA1C2A3490E1C15A92E339A4E0F187EBF0BABFB598F02CEFBB9F54A50343150E365F0D47B31A06054864D8C48ECD5F58445E31A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n..........."!..0.................. ........@.. .......................`...........`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............w...........d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):543312
                                                                                                                                                                                                                                        Entropy (8bit):5.987161302939433
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:a6+HbUMHVgQO61+5ZpvsQ60OghEusa4UQgce0x7KjF76pkLzLFEnJEIfibgPKiU5:a6aRgsgfEU4UDcxkLzJEBsgPKiUYFHsv
                                                                                                                                                                                                                                        MD5:76B3958BBDDF8E1A58B08581EB4B5CC2
                                                                                                                                                                                                                                        SHA1:B51FFBD175BF70D20C4184FEF53764966DAB2393
                                                                                                                                                                                                                                        SHA-256:0C13A1B28BAFB47ADB5D8B9E86923116258CB4E4CCB3C84310B360D4D004C145
                                                                                                                                                                                                                                        SHA-512:7B43FA7B09C19B01E96B94028EF9EBE4CF44339437A517011702239BA247189F0D3EE8449E6913F82A41E86BA7E80CDFC9ADA9E7DE5423A38F0DBC434725588E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B............."!..0..............3... ........@.. ..............................%.....`.................................h3..S....@..............."..P(...`.......2..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H...........s...........C...w..H.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..&........(.......(..../.(........(....G* ....*...0..@.......(.....3'..0Yn.!.~...~...i.?_b...@jY..._.j2..*.*.(.... .........*B..... ....s....*.~....*.0..........(....,..*..(.....o.......&...*...................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.560006548424685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:AiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufPU1S5rxg0XWr:v1Nvb5adVl8P2djJMZJSGu3z5rxg0XWr
                                                                                                                                                                                                                                        MD5:63E9B310597AC25A1CEAA55B6F0CC9F3
                                                                                                                                                                                                                                        SHA1:0C5B170ABA511F479E593727CF7F562523EA7E8C
                                                                                                                                                                                                                                        SHA-256:96B51BB87A1F4072D10B774FFADF81AF93881900571D21FE638E10E3FB0220B8
                                                                                                                                                                                                                                        SHA-512:3BAF3836F8F42DF2D3444409115A3564B0961CD3141CC46E248E6E29A59EC773E511477D8DED4BE05125F2F45E987FD6F94AC5676C318A728B7CA63EB78E9056
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ..............................;.....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P ........................................H.W..Q.2.<.L......H.*...W.!".5....8...}P1......#....Z.N..d.....o...P.....@G...g.g..7.w.!V_..4..7.=.G.".8%..q..G....a...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.43329064965383
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ycWWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAPq115rxg0XWr:yc1NvbGVxx6hUltfxgE00cLq5rxg0XWr
                                                                                                                                                                                                                                        MD5:94136496103CA7B4425EB6D639EEC501
                                                                                                                                                                                                                                        SHA1:AC8F3F4E7C04D4BEEFBA94004A114880662C8387
                                                                                                                                                                                                                                        SHA-256:A3A44472A3944FF0D5C31241BF6DD9B6AE04EAE03581D338B53E3E41EED7141D
                                                                                                                                                                                                                                        SHA-512:04F4614C5BCF97EC643079D50FFA800B2F89A503E02D7DA6FF97AA463993A6964833068063C5A144C7E7D44BEAF082B43EA672F66B4E831EC2CE828666C4965B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................n:... ...@....... ...............................x....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P ........................................^M...=..A'R..\N.....U.{..-.Y+........E.?.......3.....#..9.v..2q..?..L..>s.SI.....}...M..Q.=.w....(<.I...,....>^..E..J..X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.581775279455886
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:R/WWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VPH1g5rxg0XWr:R/1NvbdKJiDjgmlRi0HYZDMa5rxg0XWr
                                                                                                                                                                                                                                        MD5:8C7822BE67F1576F2E11817826ABE40E
                                                                                                                                                                                                                                        SHA1:9B9EDD5FEE4415CB7FB09F0940BEAAFF1C107EB7
                                                                                                                                                                                                                                        SHA-256:C9A7CFE32AB4567D671A84397ABDA29CC92B21CB412CE0F0DF12352C68B7460F
                                                                                                                                                                                                                                        SHA-512:70F76DFFB3FE25F1D3550BEC3C168805AB422C6A0505DDDD21EB2A5B59F24D5F37AEDE0DBEBCF16F821868789E17A87AE61442BE6525ECA0461C0146E4E6B850
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................^;... ...@....... ....................................@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P ......................................S...8cY)..6. .X.YE...W.....*.......r.~@.]\.D.3.....4I...P.u.....Y2Y.n....)@.xV.#g..V.tI.&.gy8....)U..@k..n...FF..w..6.) R.;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.368843686720491
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPk1q5rxg0XWr:31NvbGTNgr1nJI3+07M75rxg0XWr
                                                                                                                                                                                                                                        MD5:79C01911FD90F929CCBD1D4964D2C17A
                                                                                                                                                                                                                                        SHA1:1878855F9C350B245C3258204A754770CAD776A3
                                                                                                                                                                                                                                        SHA-256:E8F0F7F9E9F2D836AAA341A39D3B395B397BAC0B88F6DDED3F159A6C8D2D74A1
                                                                                                                                                                                                                                        SHA-512:0C820224F516FE888621C09E3ED1870AC4B702AB97B1CE3CE4463445FC96F9D8798C97B6AE6ECFF1175D8D8EE8657052AF0E42D03B55340635CF9F5E65A9D6FA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ....................................@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................^V..d.~.R.t..i....v=.pIE\..#.}-{.u4....fIk.9.A..G....P_.S.u...w...J.AY....,.v.. ...A..."./..%.z+...".e..:.d....t.G...o................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10240
                                                                                                                                                                                                                                        Entropy (8bit):4.593201257102684
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:9SWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPE1V5rxg0XWr:9S1NvbaG1cxy8ONHskd85rxg0XWr
                                                                                                                                                                                                                                        MD5:437252DA54AB3171BC7DE366E5494AD8
                                                                                                                                                                                                                                        SHA1:A4FCFD9240B28C836240D4CAA4C9EC8DE38F6E9F
                                                                                                                                                                                                                                        SHA-256:9BFB9826E286B55AA5A580A5C220114063871B1EA8C541DF783A73EF8E72806B
                                                                                                                                                                                                                                        SHA-512:8D56A2EF0DE3B3BF16FE4D931EE6D6A8119E4CD7B3FFA52AC3EF65CEA2A2F4C4E99ED536757546A54CD5A2318A1BA4E70E6425367402CFD06345FEA6EE8442C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................;... ...@....... ..............................._....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................4....4...L.."...J...%-..............Drc....4.....n.3Cw .r$y.4......%..5[YupFe....R..!`..#h.I..-3..kH..:~ya..P9....PD.}...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10752
                                                                                                                                                                                                                                        Entropy (8bit):4.84740063117937
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:AHwWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlN1O5rxg0XWr:AQ1NvbH7O9JKgglrCPChnYVC5E5rxg06
                                                                                                                                                                                                                                        MD5:44CC811E193FB220954A0E56AF6F7682
                                                                                                                                                                                                                                        SHA1:B1437F518F3D8E8DEAD506D7E352B69593486244
                                                                                                                                                                                                                                        SHA-256:8CDCF449550DF3F9CACD3A8A41D19D6144BB0FED630825D6118D4077F637BC35
                                                                                                                                                                                                                                        SHA-512:E3FE956494F6179D6A725ECA38FE0E0739A14300DE035093212B0169BED45374E3792EBF7DF916996923777CCB9842C04D9B954D30094D51CE81A892D8F49385
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................~=... ...@....... ....................................@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P .......................................s....E..s....D6..|G....Kc....,..M......8..................}..\.bf..qe.T....w RF..B..y5fW=...N&GE(..[...._.H.....Y.c...ta..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71312
                                                                                                                                                                                                                                        Entropy (8bit):6.106692533939604
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:mxuAEP6SHdOP71+KXUk/lsQDzZfOmLeSo0df9Xzlu:eEP6SHdOItSlXfNeSdf9Xxu
                                                                                                                                                                                                                                        MD5:0631D48880E7DDDDE2733C133BA486BB
                                                                                                                                                                                                                                        SHA1:08BDC5C585123FA5F3B4D670DC92CBAA7620725A
                                                                                                                                                                                                                                        SHA-256:AAD8B9A018FC4C4601EDC7C9169370EEE26628C4D90F967C947BA9A81EC4B224
                                                                                                                                                                                                                                        SHA-512:3AD9C20EF888DBD78AD99673E2242ED45006F204FE704076C7791A681849E4A5DDFA9E38862F26DB8203262536E92F1757FDB6982A9FDE1625C3825D89F08A41
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T............"!..0.................. ........@.. .......................`......B.....`.................................x...S.... ...................(...@......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......,...Lx..........$d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):801048
                                                                                                                                                                                                                                        Entropy (8bit):1.7800450887072108
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8qirVlWQX3WT56Os1HnhWgN7acWf53p13s5yX01k9z3Agrf8mNVf0nj:8BriQ+5kHRN76HcYR9zPrf8mrf0nj
                                                                                                                                                                                                                                        MD5:7A44C33341844DBE9C6FA526AF88E80A
                                                                                                                                                                                                                                        SHA1:0ACABD100F61A2F8B3C5E68A270599AD54EB8A39
                                                                                                                                                                                                                                        SHA-256:68F73AB17FB7F4AFF3D35EF6DB0E9D5B0FA0151111CB3D03992E23BC29D6C40A
                                                                                                                                                                                                                                        SHA-512:B81D63B345C193C6DEF17372311447D305AE167B2C4D1C2FDB0344D1E1EF5FF4F9D52599FFD862B2480825B308178737DF7E5E48C31E712339F009E92B6EAF57
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|'............" ..0.............&)... ...@....... ....................................`..................................(..O....@..l................)...`.......'..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................H'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......`...#Blob......................3..............................................-.....-...0.....M.................R.................h.....7...........[.....x...........D...................................).....1.....9.....I... .Q.....Y.....a.....i.....q.....y...............................#.....#.....+.....3.X...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159904
                                                                                                                                                                                                                                        Entropy (8bit):6.097873216527841
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eXCCOOz54xuTlmyRmIazZ11Ip5ZUWISFogVJoQyaH5MbDiz:Wz5dQ/cpJISF5c8abC
                                                                                                                                                                                                                                        MD5:950CD24EA3A9EFE5CCE594A8B228AFDA
                                                                                                                                                                                                                                        SHA1:4609AC99EBD157E4C9BF7E276EEA961C4BB3AA4F
                                                                                                                                                                                                                                        SHA-256:2AF781190AB7C97D6B846D5027745D609AD227665695E8ECB3AFD4CC9FCE6537
                                                                                                                                                                                                                                        SHA-512:2E8D0DE29E62732458472B8FA5AC35C48416E6AA5034BE309F688A095E6222A215EA3318FA02358707FBB98918983F2AB8996AC6703585485533ED4975AB7E3F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,............" ..0..>...........]... ...`....... ..............................T.....`..................................]..O....`...............H...(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................]......H............}...........D..0....\........................................(-...*..(-...*:.(-.....}....*..j ....n_ ....n3..*. ...._ ....`*....0..w...........o.......o.................o.....o/.......o.....o/.....(0.........().....(1..............,..o2.....,..o2.....(3....*.........?Z.......0..K...........o.............o.....o/.....(0....(*....(1.............,..o2.....(3....*.........)8.......0...........(+..........*...0..g.........(...+....o.............o.....o/..............(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):86816
                                                                                                                                                                                                                                        Entropy (8bit):6.013720216920584
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rqz3g47M9YIB/nRPP6eyO0MIq6y7suFvTbqtN0p7pqHUzH:rq3M5ftPzTLIq6y7sgytNK7p0Uz
                                                                                                                                                                                                                                        MD5:AAB8F9887FA45F30FE04472352E5AFEA
                                                                                                                                                                                                                                        SHA1:8244D05575D13E605B22538D7AE66D4805BC45C0
                                                                                                                                                                                                                                        SHA-256:7DFACED56145F3C6B80DE25A09E0DF6729149EF3C6A8F8F1B559E93B914FD2DE
                                                                                                                                                                                                                                        SHA-512:97BA85978B48324908427833374CB3C19DE01F136D29A3ADCAC350A0555B30087513CD33BB7B18F0CB52CB3E8884E0ACD1BD256704A8B96EA0C4CA8A0F8135CE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............<... ...@....... ....................................`................................./<..O....@.. ............*.. )...`...... ;..T............................................ ............... ..H............text........ ...................... ..`.rsrc... ....@....... ..............@..@.reloc.......`.......(..............@..B................c<......H.......hP..............h)..8....:........................................(&...*^.(&......K...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*6.~'....((...*R.~'....((.....()...*..(*...~'...(+...-..(*....s,...(+...*.*2.{-...(....*.~q...*...0..........(....,..*..(.....o.......&...*..............$....0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.709151479489131
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:0uWWNv/jzSEhtiBbSEmfO2mdqeCtzEc6yCPVo1L5rxg0XWr:J1NvbcbSEm22mdqet+ws5rxg0XWr
                                                                                                                                                                                                                                        MD5:90289DA899746E328816734D723C93A0
                                                                                                                                                                                                                                        SHA1:6AF8E30872729E89FE0A7C01D99DACF4AE6726CF
                                                                                                                                                                                                                                        SHA-256:2B3853CEBEA222ABB31C2B1E3D6CD19A2F6621ABB56954162751A2B592680676
                                                                                                                                                                                                                                        SHA-512:ABB6FE5216B412CD85E139D69657A40BEEBA00F2DD0DF1795AAD8CF27C13D9CE0EB2DCF3904CA445678D689CE56FA2C169ED7B40490181EA6B770B1A634A6D4B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ..............................................~.Xi.....05.]..sE04.hg.'...../.K'l..a..m..Z....q..m..4&....h....le..|.Z...../.....!*............<.XV$!./..})................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                                                        Entropy (8bit):4.7267524338984295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:T2WWNv/jzSEhtimYtEq40uI7Sr2fqmxkNeo7R7L7c7xM757odHK9nPo21f5rxg06:a1NvbOtEq40uYSatEdHwWloA9Pb5rxgJ
                                                                                                                                                                                                                                        MD5:2356F25971B72EDBB3303AEA1BEFB9A1
                                                                                                                                                                                                                                        SHA1:60780C3E4F36829A0038BF56CD929148A0A0523C
                                                                                                                                                                                                                                        SHA-256:99C3F55737EBC53BA4EAA92FAAE23EC8AAB9149826E5D821D6BC976706BED237
                                                                                                                                                                                                                                        SHA-512:3252FE8D4A04F4EF79DB76DEB446FBA236E0B281E0B1B35488198D8A5D8EF0F4890ED68DB0E93CA17CE3783B6A6A4D71EF5F8979F917E05D4DDAC638DF082A60
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ........................................u..q.:7i...g.'=......a.2j.V.:}......o.....F5.Sv....v.|...(.':KP.d._..D..s].Nx<..e........k.......P.0...h")g..N.>...@...).6...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1152141
                                                                                                                                                                                                                                        Entropy (8bit):7.9996934105504405
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                                                                                                                                                        MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                                                                                                                                                        SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                                                                                                                                                        SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                                                                                                                                                        SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.139785828189609
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                                                                                                                                                        MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                                                                                                                                                        SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                                                                                                                                                        SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                                                                                                                                                        SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1782
                                                                                                                                                                                                                                        Entropy (8bit):5.026919218581437
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                                                                                                                                                        MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                                                                                                                                                        SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                                                                                                                                                        SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                                                                                                                                                        SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhTLV:WFLV
                                                                                                                                                                                                                                        MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                                                                                                                                                        SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                                                                                                                                                        SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                                                                                                                                                        SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=6.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95792
                                                                                                                                                                                                                                        Entropy (8bit):6.184818983275012
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                                                                                                                                                        MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                                                                                                                                                        SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                                                                                                                                                        SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                                                                                                                                                        SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):6.002764283325334
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                                                                                                                                                        MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                                                                                                                                                        SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                                                                                                                                                        SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                                                                                                                                                        SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.656654225594367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                                                                                                                                                        MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                                                                                                                                                        SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                                                                                                                                                        SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                                                                                                                                                        SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.410547751816252
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                                                                                                                                                        MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                                                                                                                                                        SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                                                                                                                                                        SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                                                                                                                                                        SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.13440642371392
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                                                                                                                                                        MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                                                                                                                                                        SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                                                                                                                                                        SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                                                                                                                                                        SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071525670553409
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                                                                                                                                                        MD5:022108AD251A8942E295269CA824DE07
                                                                                                                                                                                                                                        SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                                                                                                                                                        SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                                                                                                                                                        SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960711597816388
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                                                                                                                                                        MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                                                                                                                                                        SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                                                                                                                                                        SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                                                                                                                                                        SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117274836584594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                                                                                                                                                        MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                                                                                                                                                        SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                                                                                                                                                        SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                                                                                                                                                        SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.676829122620627
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                                                                                                                                                        MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                                                                                                                                                        SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                                                                                                                                                        SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                                                                                                                                                        SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):97328
                                                                                                                                                                                                                                        Entropy (8bit):6.241615255803021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                                                                                                                                                        MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                                                                                                                                                        SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                                                                                                                                                        SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                                                                                                                                                        SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.18032959054322
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                                                                                                                                                        MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                                                                                                                                                        SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                                                                                                                                                        SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                                                                                                                                                        SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.672454142602205
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                                                                                                                                                        MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                                                                                                                                                        SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                                                                                                                                                        SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                                                                                                                                                        SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):384064
                                                                                                                                                                                                                                        Entropy (8bit):7.999354812539926
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:oT+//Q9zzulKCWBQWv2SaUi4QGX46RIpikyZVsEJ4edsS5OmBOGapgfFwchugV7h:o6//QYKvQe3as3vt4edsTEHapgfgt2/l
                                                                                                                                                                                                                                        MD5:62BA835DA9186B6F9ABA75DB02BDA457
                                                                                                                                                                                                                                        SHA1:73CF400D8CA1E32DC336344778E43BA5F077659A
                                                                                                                                                                                                                                        SHA-256:3F7E666C873A00E2FC36561CA3C6554D64EE592CA6D7AAE44C1D578A4BA952C0
                                                                                                                                                                                                                                        SHA-512:AD12DDCF069B1E41895C6FE95B4206AFD5E41FC36078323B0CF5084A90322106366B1058FD19F4A7A2E3298B59EE06CF8DB75DFCEDAC3377211216A81DD86CD9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......G.X...M........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....0................x..$.C"c.._.9..).....o...."\..`J.<..5..`..s.wUA..H..?I....L.P6`.)#.V...HV...T....C2P...(.D..y..O..%..[f.....U... c9.G@..g.......G!b....:o....7..~.h.s"5.1.u...\}.{l....<Yz...rj.2H6.......K%....SR.3.cg..*..o..z..k>...2.T......nz..L.....*.b."...R...p..k.=3.N.I...c....ht..*..Z&i.J{..,:..}... .2.........e/S.....{wr.+.=.....#`.LKl....4a.+B.:..T/s?..9.,#T..w...;.Q.X.F\-..Z.......`W.W..Y...j.E.......;..74..W..d.....o..x.m{...a...K}.....i)..H.a.*..<.m.;..I..1..Z...v.i....!.*.'[..`W..!../.<...."..u;W!Zgkfr.xn..,..8..{u.E. .#5F.. .(jD....:.&S..D.&......g-B#...:.2.....hqH..YY.......`..Y.;*.g.>0.......@d.=...Oiu....<.H...z..j.6.|'...9 >..d(l..B. .....5Pl.......cT...(L0....s.8 0.....k.e.pKo.).2P.'b."`d.N...u.%.l'z$W.....,j....OY.X...%.(..*.....{s..l...H6M.>S......@u...^c.#e^..l.......wU{..L3....5......K.xU....~.;.0....=.....a.j....o...C..~....$.(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):176176
                                                                                                                                                                                                                                        Entropy (8bit):5.810538753278762
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:8hu0H1+EJQCH77wKu8MFZYfAZN8nCq8vwzZhq7tZ:8hu0H1+EK27wKu8MFZYSIZhqn
                                                                                                                                                                                                                                        MD5:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                                                                                                                                        SHA1:F0EC4BB9BE94EE250ED38E88A87B65E727A9A058
                                                                                                                                                                                                                                        SHA-256:C46A613D72F89B5886A79B742AA845152505734642188EA710716F63FB775C77
                                                                                                                                                                                                                                        SHA-512:1FD0EADD36D9058E7BC4AC06108B0430ABD5D43BC14100593352FD2F5639547B92BD7AE9691E219A26A90A80E4427DAE687A2312DCA0A48F71DD3ACFF9494752
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(}f.........."...0..|..........f.... ........@.. ....................................`.....................................O.......................0(.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B................H.......H...........8.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.k.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):546
                                                                                                                                                                                                                                        Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                        SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                        SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                        SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWan:WTn
                                                                                                                                                                                                                                        MD5:5114AE785BDC99E7A17BF2CDA7D29A72
                                                                                                                                                                                                                                        SHA1:3DE3B2F755C832B8D5E6C0EC409448E2F559FFD6
                                                                                                                                                                                                                                        SHA-256:69DFFBBCA4B0D194104AF8F2E0FCF2B8019BE844149151B35AC0777A26FDA2DB
                                                                                                                                                                                                                                        SHA-512:87243F0B4B8E45408B39D209FA7AAFF2A844D58E73C431F7887C90B000FD19B12048987218598945D4FAA0FA75FDAEA83FC50583175143DF737134A2BDD27D03
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=37.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.18002703527251
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:9Jt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7HxwX:9QUm2H5KTfOLgxFJjE50vksVUfPvCy
                                                                                                                                                                                                                                        MD5:DDC6B969B5DB1626766381FF12340FA1
                                                                                                                                                                                                                                        SHA1:6AAA12B989EDAAD22E1DB21127DDCFFD8951930A
                                                                                                                                                                                                                                        SHA-256:CEBE42FBEE50769C3CF9CE1ADEB4FA85046802B7A298BDEAAC3278CF4B653525
                                                                                                                                                                                                                                        SHA-512:B86D9C2E1234960F6614B6E6D790EEAFB093DB4CC1C9A2C4FE55EF0D4496D79B673F1B373BEDB036D23246FE1D3B7370FC0A195F59508A0566BF101401480F6E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................i.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704560
                                                                                                                                                                                                                                        Entropy (8bit):5.95412318973471
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:t9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3c:t8m657w6ZBLmkitKqBCjC0PDgM5M
                                                                                                                                                                                                                                        MD5:6EB75A19A6AB8F9DE3886261B399A8F7
                                                                                                                                                                                                                                        SHA1:7FE98DDEC3FAA1362167BE26B5455283E7777881
                                                                                                                                                                                                                                        SHA-256:D1A4D5FB2B89A96A3EFFC149D0A32B72182D37B59414AAF78E202D91CF408A68
                                                                                                                                                                                                                                        SHA-512:383C477438A3654DCF5EB984626715D14AD6C771692B28326EE2212034F8B70D4430AEAE677532C66619883CBE86456602E544F2E0F0A98770F69BE3956504C1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................................`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):4.652394185451826
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:hsShKq4MsShLP6SX9NfzyShaKf0OTEGShaKf0Od:J4qBX9Nf1cd
                                                                                                                                                                                                                                        MD5:3CC4E87DE92BB0BD688A707DA9DDF9E8
                                                                                                                                                                                                                                        SHA1:A8EC67525350CDE1BE1B3466E39F6DABAFA003C0
                                                                                                                                                                                                                                        SHA-256:9503E1EAB02C748FB5341C147DA772D8E9232C63203F6CD3527CC2E8EDED86AE
                                                                                                                                                                                                                                        SHA-512:44562437B098FB41E7134CEC1FF4E74376AD5404925AC04E6D347A5734C79A473FCF7113E439ED68BF2E1ED87986D4D0EB6BD8DEA5ACC987FD410D658E002F3D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................TAgentPackageAgentInformation, Version=37.2.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]................i....H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.8214419452073276
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:6SmHTaLj9ho:6SmHYxho
                                                                                                                                                                                                                                        MD5:319E2D48B57A20E2F964378E3F2CCE09
                                                                                                                                                                                                                                        SHA1:424E748C5402904018B469668D06C11B7335D379
                                                                                                                                                                                                                                        SHA-256:24976882787E3156CC01FAD1128F6ECB626D7FA68485C70BECE18B8E5E8D8A49
                                                                                                                                                                                                                                        SHA-512:8F2D4FDBC5A83F43528F0ABD8E47268818F69FB6FE717D6CFF26CE5869E6CA4EE7842E9F3180AEDA9073764D9B12AA10133DB6C6656477E6166A33B9813FC1D2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.199FC5B1688689A0544F6FF5C4A80EAD

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.677028119136097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:fc3Gh7UgzVchXn:f7NUgWn
                                                                                                                                                                                                                                        MD5:E49A5284D2F384905389D53944708C48
                                                                                                                                                                                                                                        SHA1:E455420E95EA0246B8B63A251B0E451ACD711B28
                                                                                                                                                                                                                                        SHA-256:33FD3B161AEC8867652C6B0707180ADC42C267EE9F66E33BF0CE70B55B4660B9
                                                                                                                                                                                                                                        SHA-512:E9EC60296F38F68EB6C6233094E50EF534CE44A91E6511097158D631673017F8FE316E1C11A494C29BD8BE6F94AAFBF9F4A9546E709694BD3CC98B12CD243FF4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.2E69DDAE9D0D04A8ED39EECA359A9772

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):328916
                                                                                                                                                                                                                                        Entropy (8bit):7.999290842463468
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN/Hggh:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdv5
                                                                                                                                                                                                                                        MD5:D3901E62166E9C42864FE3062CB4D8D5
                                                                                                                                                                                                                                        SHA1:C9C19EEC0FA04514F2F8B20F075D8F31B78BAE70
                                                                                                                                                                                                                                        SHA-256:DBC0E52E6DE93A0567A61C7B1E86DAA51FBEF725A4A31EEF4C9BBFF86F43671C
                                                                                                                                                                                                                                        SHA-512:AE33E57759E573773B9BB79944B09251F0DC4E07CDB8F373EC06963ABFC1E6A6326DF7F3B5FECF90BD2B060E3CB5A48B913B745CC853AC32D2558A8651C76111
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27696
                                                                                                                                                                                                                                        Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                        MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                        SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                        SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                        SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542
                                                                                                                                                                                                                                        Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                        SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                        SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                        SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                        MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                        SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                        SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                        SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=17.14

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                        MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                        SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                        SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                        SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960415778826794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUs:fBA/ZTvQD0XY0AJBSjRlXP36RMGx
                                                                                                                                                                                                                                        MD5:3DDA2732842FCAEEA0477F18D85CB584
                                                                                                                                                                                                                                        SHA1:D70016DF3F407CFE1BE6ACF63CC80A2B40F8212B
                                                                                                                                                                                                                                        SHA-256:EF3F8313AD94CFB9C2E8C95B54433F112918A0542C341763B19C0B2C6914A71D
                                                                                                                                                                                                                                        SHA-512:3403842EA1DF9F314EFF6E78F36F215A4E371B01B1C83345B7745737FABB092BDCFE63F78A29FB5FAD14825DA1C7AC286CC8BCA02B0FC3056620FE268D4FE6F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):833993
                                                                                                                                                                                                                                        Entropy (8bit):7.999644881255343
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                                                                                                                                        MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                                                                                                                                        SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                                                                                                                                        SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                                                                                                                                        SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219696
                                                                                                                                                                                                                                        Entropy (8bit):5.943430076853408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                                                                                                                                        MD5:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                                                                                                                                        SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                                                                                                                                        SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXWp:WBc
                                                                                                                                                                                                                                        MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                                                                                                                                        SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                                                                                                                                        SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                                                                                                                                        SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=23.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.300719339270839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                                                                                                                                        MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                                                                                                                                        SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                                                                                                                                        SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                                                                                                                                        SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.1801131806578455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                                                                                                                                        MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                                                                                                                                        SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                                                                                                                                        SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                                                                                                                                        SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19
                                                                                                                                                                                                                                        Entropy (8bit):3.286629486786197
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:hVuBd:Du7
                                                                                                                                                                                                                                        MD5:31124E4258CF1764F3568035902C1990
                                                                                                                                                                                                                                        SHA1:EF4FB0823A886F5495E8E97353B6C95573ECD17B
                                                                                                                                                                                                                                        SHA-256:09BF1757FC1FDB2BA8DEB0720F3C6F414D811618434B6B0B632366FEBF44020A
                                                                                                                                                                                                                                        SHA-512:175F3E857AB5FBECF42FAAD396799C79AC6367FFBEEFF4274EE2EC52A308998A5DCD5C7604165CAF783C5AB73D0263E0732345F7D80EAED56BAB49AB6576C8AC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:05/08/2024 16:19:21

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):499760
                                                                                                                                                                                                                                        Entropy (8bit):6.056862695710082
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                                                                                                                                        MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                                                                                                                                        SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                                                                                                                                        SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                                                                                                                                        SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960733432365752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                        MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                                                                                                                                        SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                                                                                                                                        SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                                                                                                                                        SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190626027944278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                                                                                                                                        MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                                                                                                                                        SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                                                                                                                                        SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                                                                                                                                        SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):149552
                                                                                                                                                                                                                                        Entropy (8bit):6.059724018456156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                                                                                                                                        MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                                                                                                                                        SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                                                                                                                                        SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                                                                                                                                        SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.334370226233819
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                                                                                                                                        MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                                                                                                                                        SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                                                                                                                                        SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                                                                                                                                        SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955083228632948
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                                                                                                                                        MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                                                                                                                                        SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                                                                                                                                        SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                                                                                                                                        SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):639
                                                                                                                                                                                                                                        Entropy (8bit):4.8859746528450385
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Du0LIytXE7E0LIy6XEOMrD6Ek4ECuZDOBrQgxzNMq9r6xPNEur6xPNEC4gx7:DumtXBmWek4EgdQ2zNMWIPNRIPNW27
                                                                                                                                                                                                                                        MD5:A80BD8C887D31329BB9F5F534FE4287C
                                                                                                                                                                                                                                        SHA1:D006C20397CFAB6071E3A601D7B7B403AB871208
                                                                                                                                                                                                                                        SHA-256:11430053857B8A60B910A06849C6BE282DB9BA62D2B8EAE451EC2A6A1640525B
                                                                                                                                                                                                                                        SHA-512:F6E64EB29066BD5DC96534A6B3D71D8BE382699DA243D546DE9662FF78FD33EF3FA45D7DE5F4660BE8AE038106F7FDE298FFADDC24C8BB63FAD6E6859D525AE4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:05/08/2024 16:19:18 In Program static constructor, before instantiating _logger05/08/2024 16:19:18 In Program static constructor, after instantiating _logger without using _logger05/08/2024 16:19:18 Starting Main(), logging without using _logger..05/08/2024 04:19:18.342 pm: Info: Before PollAll() call written at: 05/08/2024 16:19:18..05/08/2024 04:19:21.201 pm: Info: In PollAll() before Poller.PollAll(false) written at: 05/08/2024 16:19:21..05/08/2024 04:19:21.233 pm: Info: In PollAll() after Poller.PollAll(false) written at: 05/08/2024 16:19:21..05/08/2024 04:19:21.233 pm: Info: After PollAll() call written at: 05/08/2024 16:19:21

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1242459
                                                                                                                                                                                                                                        Entropy (8bit):7.999705337724571
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:ZQXvdoybigLPNNmXx5B7u62Axnj/7NAckRq/QO8tf:KoMFLGXxn7t2ARjheh5
                                                                                                                                                                                                                                        MD5:DE647C2003B0AF989D2E87782CBDDCD4
                                                                                                                                                                                                                                        SHA1:BEDC6201C49E8B26AF38D4A81AF7545ABE4E27CD
                                                                                                                                                                                                                                        SHA-256:74732E18B4D2E436952D9BF13AFFB854D570E2E7BD25F5AE6884195A4343A697
                                                                                                                                                                                                                                        SHA-512:34438F6376D283B6E5D1D2E60B2A2A8411641E2EB89ACC173D0DB409645FA37D1D67ED47899ADA434E9BEBF054867D8EAEF14BEAFABC116E30A76622D2796A4E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......LrX./..........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......FN........U./Ve...j.K.IXm..._f.n....f...;F...d.Z..S;N?..$..~..W...41..9....|..d.....H.>..Q..".[.Jw.....}...l.....j.8....1..1....J>.....,..Sl....W....!.6...bV..P...sb.r..^.fq...Zr.!.>..<....".x..}..O.=|./r.*..4.&rI.6!...V.......N`'Z.....o.....%.G..f...TB.....9....p.b.cv.~... ...^....m.=<.}...Xp..~;.....o(!..V.'....:.j[.G.2.....8;..*F..JD......~...d..:.>n.T.r.l.....s%.......%...>..!C..E.<......C.A.&.F.....e.+lR.}....d...3T.....E....g........'m.M(...H[.....u.WC.,.S3p..=9..z`...\4..3........i.\C..dZ.$....Y.8...*Th."..k......)a.$.....&.2....=f.......NLl.....Sye../. ..I......B.R...!.6.].[(.R6."v.V.`..|...b.$.S..M....6..e...>L.i..<[..W.g<Ty.;/.F..rJS.8A....W.26.H.q..A.4.\.h.....<...M.I.{.%....>..ey../O1...~...]G....S{(_..36e.)......5..j.U..a.....X...Y...u.I.hsU.j<.~0>.R..B..(.-^..0.....M.Cp2.y._...0.u..B.^.j..W....>....d.._.`\/.....FJPu.....rrW.^.....#.A..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37936
                                                                                                                                                                                                                                        Entropy (8bit):6.420777740976457
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:TlK7ivy767zzumHTxUxx/u4sEpYinAMxCczxx:9IS6mHVUTxl7Hxhtx
                                                                                                                                                                                                                                        MD5:601E661FD5917647D8932600560E6A27
                                                                                                                                                                                                                                        SHA1:C259050D22DDFCCD00434FBDF4660668E45A1D45
                                                                                                                                                                                                                                        SHA-256:0F1A1F5C257AA061CAEF7FAA224959F60F8E257A5A56ECD02BB9E8BE25EA093A
                                                                                                                                                                                                                                        SHA-512:8A3822FB7A1FA5C08F9FFAA7F3FA91FFF2DB795CA17D259D3C51264434D86325E20E8398D4E3785E143AEE7430A35287112C52A876E163F5AC8FCA414E27FBFB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..`............... ........@.. ..............................d.....`.................................]...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H.......05..|I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1295
                                                                                                                                                                                                                                        Entropy (8bit):5.018953579697613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                                                                                                                                                        MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                                                                                                                                                        SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                                                                                                                                                        SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                                                                                                                                                        SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUln:Ws
                                                                                                                                                                                                                                        MD5:5652F0418016B3ADE276CAA479E9D5B0
                                                                                                                                                                                                                                        SHA1:8385D87585086709BAC2E028432AB505875DD0CF
                                                                                                                                                                                                                                        SHA-256:5E29BFF135603676BF4545FBFF476A3C705FE61261F7334BB71C55F9DC8FA095
                                                                                                                                                                                                                                        SHA-512:8B9F9606D29895470277D78C78EBB0A9487F012EA9FD92468791E1B33E406E14E9A7DF02391F62475229051E282DCF15A5977132FDF6D2C1769C69E572C3E8B1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.4

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92720
                                                                                                                                                                                                                                        Entropy (8bit):6.197723114252408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:XqIbONGJUSMm8E0/N4El/5qn0k8sSU0R1g7Hxt:XqIV8E0fJ5qn0k8s81gf
                                                                                                                                                                                                                                        MD5:9730ABA0BFA904FABD79FB5E3F2083A5
                                                                                                                                                                                                                                        SHA1:5D8A6F97D6B729121A7409EF881452E8A8532E74
                                                                                                                                                                                                                                        SHA-256:9D3A9CB8F40AE8FECDCDD953C12574DCBF0D1B411ED09875A6E1194D323DF97F
                                                                                                                                                                                                                                        SHA-512:0B46876C6C48A7969FB4F548CDAF9927FCA5949F005D75B9DAA3EFE181839963D3BE6CFD34962AB7111BDB577CD0881E80EF494770B66752D4DDE7A2596EB4E8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.tc.........." ..0..8...........V... ...`....... ..............................$.....`..................................V..O....`..8............B..0(..........`U............................................... ............... ..H............text....6... ...8.................. ..`.rsrc...8....`.......:..............@..@.reloc...............@..............@..B.................V......H.......$f..<............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tL...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.998458771567579
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:niLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv6:2Z0PMcjrgv6
                                                                                                                                                                                                                                        MD5:DBCEF7625BA26E5F98BFDB57EBE860F7
                                                                                                                                                                                                                                        SHA1:63748B8CA00E8D0E5E6F9EF8079959AB5C776208
                                                                                                                                                                                                                                        SHA-256:7F83ED5B26F7BDEC092A468D4CF5F24FD8417EF11D479FD78FEC4CBAC74BC193
                                                                                                                                                                                                                                        SHA-512:9902A9A794D30A21681156C54C868B276F6AE294DE2D40FBA9B2448F853452DE15583A9485BACB7600467173DBCD99A1571E62F2E56FEBABBBC812DB03E5A7D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ....................................`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.406771850554805
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:cQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCH9I:c9MYn1seLE8JFMLcyMH7Hxh
                                                                                                                                                                                                                                        MD5:BF0A1971F65A9FE73F8E048BA390710B
                                                                                                                                                                                                                                        SHA1:FCE44EC8DD092BA5D76ECDCF7ABC8912AECD7EFB
                                                                                                                                                                                                                                        SHA-256:F9A2D469C7FDDFD29DD49B617141F3DFAC3F98F9218198CF639887E72C7A1F82
                                                                                                                                                                                                                                        SHA-512:490DD7021B595239A98BFFA409667D864249408355E31A72251EE68700562BC90A03192C3D3C3379224876077758BB78DB337242AFD9F6F0F79E5D03AD0E36CB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.153608452030037
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Hr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYsn:Hhpp9xxIBeXGfvYsn
                                                                                                                                                                                                                                        MD5:4EB845CC376117FBD7456B5116DEF8EB
                                                                                                                                                                                                                                        SHA1:CEECAC7E66E327A55E8E8AECA34569C1A98AE618
                                                                                                                                                                                                                                        SHA-256:3147327D5B6FDC6213B8082D0A5E469EAAAEB127F9D25F5A54F83A09564F920E
                                                                                                                                                                                                                                        SHA-512:CC96AEEB1C90941EF51C9C9BCE8E4A304F33F868CACA1655CD1ABE0F110337DC4B2486F9D57DF493CBCE8B193A44561F03133AC10B2ABFB0CFA221176F8D9206
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071423352723142
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:x1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQK:x1n1p9LdRN39aQZUq3
                                                                                                                                                                                                                                        MD5:BC7133B1B43617AAD9B6CC4BABF49E8E
                                                                                                                                                                                                                                        SHA1:424AFEC5BBF4523F651A6AD2EB14EF0EF7CB9FA6
                                                                                                                                                                                                                                        SHA-256:E3FF7C72FC6AE0F4CF5F2F5463F7C232CCF73A9496A1A8B2E82D793B85DFC39A
                                                                                                                                                                                                                                        SHA-512:B73DEB87F0C0155CD98B9F92A4A9FE04381C1F5D98F47E3E6DA085087AFFCD6050850904CA5FA2D770465516A1EFFA3DB88EEA8198B4366E6944A8472E68BB3F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):702512
                                                                                                                                                                                                                                        Entropy (8bit):5.9432161483973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Kf9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH6:YXNL2PVh6B+Bzjmca
                                                                                                                                                                                                                                        MD5:F2182E7F039D5A08B27FFD8B12DA12CE
                                                                                                                                                                                                                                        SHA1:140F1BE731C0F6C1A2AE221B5E880B37807CA539
                                                                                                                                                                                                                                        SHA-256:DE0AF87DF1D85E9D877533899B428147D961F3AD87555A997793AEE2C4EC3D14
                                                                                                                                                                                                                                        SHA-512:AF30D9DEFC925A56F963FF1B023A260B851CDE5E1FF57B8213268753E1833C2F3BC7977E97332B2B2ED2D6A20B515A7F562A3DCA4DC960125FB06073F8AEF0B6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ..............................+.....`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285744
                                                                                                                                                                                                                                        Entropy (8bit):6.189807833908334
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hZAWecOmop6I4A9YzsRuBeXirS9/pcRykxxNKKV6S8mSrpsPnga:hZeZ6ANRIru9/pcMkoKV64SrWB
                                                                                                                                                                                                                                        MD5:C248CF206D619DCC9DFDE1905C56ABE9
                                                                                                                                                                                                                                        SHA1:7E738C393C9C356567FEC91DD5EC9F8D7201107D
                                                                                                                                                                                                                                        SHA-256:17437BC5E33AE2D4C02DC19844C3EFED74B8F07EFDFC7E7F21E7B76162AE5C2A
                                                                                                                                                                                                                                        SHA-512:6EE09AC010C65D2C02AB25DDDB8530ACE7D5E8342764D4F98DECB94B02C18B593D22322986264327FEE2DDD3F4FDE630F63EBAEBF274D57006549D53FB9D68F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0..*...........H... ...`....... ..............................Y.....`..................................H..O....`..L............4..0(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Hd......................LG......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117313368373633
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:tZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHW:/go0WPVTXg2
                                                                                                                                                                                                                                        MD5:E7F7F8366DAE3FF49DF0A042E766B823
                                                                                                                                                                                                                                        SHA1:13163C2D38244CA3043DCEB6E35AA9E35E5460FD
                                                                                                                                                                                                                                        SHA-256:28FE2BB6DC8063506A50BD16EA75CAC63FF87D6C94FE8C820EB4C7C070DE0AF3
                                                                                                                                                                                                                                        SHA-512:154AE5A8F1EF145609158322EA1ED22A815643D980C82589A708C72471626B2A754EBF5CFD3B017229A32775B581F4476AEB2DC8BD10B6D8CB2842586CD514BF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.677875130083087
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ey/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqh7:euhMaVmzDC67EpYinAMxCr
                                                                                                                                                                                                                                        MD5:AD27AA5DF0CCB993A7C533ABC2B12BC5
                                                                                                                                                                                                                                        SHA1:601A025FB69A53EA8627AD124BCFC6689E15C3B8
                                                                                                                                                                                                                                        SHA-256:C3836ED94362FCEAEA5EB3031CE226E3A2188196B335FC12AF5379754F3BEE6D
                                                                                                                                                                                                                                        SHA-512:FD462C30EC56D26829873C7CC437FC9B7B65DF094247486982964F8347D53CA31BC62B6926CCD242BE5C59F11E929F2945C6D15AFA13E46E7DCE68171FD7DAB8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.234800508786839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:fzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWX:fzpjF0/t043e3vggr83jMYa/hU7HxVX
                                                                                                                                                                                                                                        MD5:2D33C7F58A38D1EBD9167DDBB846C552
                                                                                                                                                                                                                                        SHA1:96A22461836A2D9D0A3D945B1A000B601DD112E2
                                                                                                                                                                                                                                        SHA-256:46DAC445CC521BBC4763E09E344CE47E89C9ECFCCF359BAB5E7DDA158798B61D
                                                                                                                                                                                                                                        SHA-512:164F50BA58540FDF9DDD0147BF36238FF2A5F4CE5F317C1B0C6C6967DB353537B7744DFDE67F0FCDA14C1671635E1E191D5DDE6FA258054E92247DAECF180580
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.180026310625973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:SP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlW:Sh0qjC5RMOHO420kN1p
                                                                                                                                                                                                                                        MD5:FA1958277D8991A2CA3DCBEDD326E679
                                                                                                                                                                                                                                        SHA1:FF67C65737EA8EB970D58397AD41179DFD7D876D
                                                                                                                                                                                                                                        SHA-256:F90DD27CD8064A93700C114BA8479741030E99356FBB120CB03BC341E88EABE4
                                                                                                                                                                                                                                        SHA-512:226ED579CCD8D4CB7705A0245926A25226BC054884A55AF6BC8E707A5FA2EBF38E3094F15F309999F3D05695E7B3C9CE5022B5EAAE6E2E5E092BEDB6B9A74B9A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......E.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.67630363450165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:dh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBw52Z:dy9eEpYinAMxCAUU
                                                                                                                                                                                                                                        MD5:C8A500FA8517ED60D8294125640CE6BF
                                                                                                                                                                                                                                        SHA1:8D056F18F46ACC3798214CFC46A9A849DB83BF6E
                                                                                                                                                                                                                                        SHA-256:72B89634770625E6C891B8336755B6A341C8B5786C3728D9D679B756718A2DD4
                                                                                                                                                                                                                                        SHA-512:443CC856D319F519DB75B9359C57F6410821DBC3F57B4C86EC66C18285DAC7BE6FD983653343B43278553B92A7AF07D1911FA5847B8F884EC04BB8BCC8054350
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................+.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.332745078390322
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:fn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCkwZ:fnvXYcIh6yFIFBYpc47HxlwZ
                                                                                                                                                                                                                                        MD5:D62F04C397D229F2661538F299181122
                                                                                                                                                                                                                                        SHA1:03EE3CF62888CA5BFD36B042D2E1F90F5741E0EB
                                                                                                                                                                                                                                        SHA-256:3F07F423C81340FF2BB705C599BEA8267932EAB8D5F9E2D60BC54798C3FF6CDD
                                                                                                                                                                                                                                        SHA-512:C4F91003ED7D13BF4C2E06CB462920C6D3550F76F4D0F63D3070F760A874B3EAF00813BC0871E5E3FED5DAEEB60D1691A1AE93246A0ACCCE518512B8AC3DE56B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955144932150523
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:8784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRJP8:87N1r9KGI04CCARLB8
                                                                                                                                                                                                                                        MD5:328BA848ABD9A548F19263D9E43B7361
                                                                                                                                                                                                                                        SHA1:DB4D58DEAF5EC79F620EF1AD5BFF9E28F8EB0D7E
                                                                                                                                                                                                                                        SHA-256:B282E0543145778A695B875E82908698A38B0C0DCB9F88BAD135823EA69A9D94
                                                                                                                                                                                                                                        SHA-512:EC8DDA91192109C5E981E2EF73CB5F7169DBEC36B32221700C8C759883B7FE2176575A39C3CCDF7F4C3F6351560C9E37B884D62154BE6558875F117638533301
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3585011
                                                                                                                                                                                                                                        Entropy (8bit):7.9999193745697
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:PifnPfXNZMNdg2I1fVkjUhN0ToFwQGw8tQRSm90p13l95Ogl5xs35F7gzzTaCzZw:PSPfadg2IIj+N0TK7SSKjUglopWD/Py
                                                                                                                                                                                                                                        MD5:25EE719E8A32A0C5DFC57A5923FE32F2
                                                                                                                                                                                                                                        SHA1:F48E0549F5F05476EB780E78F7840A98B4375193
                                                                                                                                                                                                                                        SHA-256:A5CEB8392D19691CFC565D6DE595D829D474B9B095557A55C1D11BA475E82836
                                                                                                                                                                                                                                        SHA-512:A7483CDD47E71AE7570AFF30D2EC9E8017DFE5BA6488A8E14B538912A0E3AB286BAF764A13553D30170D874C5F14EA524C5D878131304C74838AA8E0952A2831
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......i.X..J.........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0.......(m......%..Q..a.x....EPwA.}.Qq..I..u4..w.J...^.........p......+.`.......'7...F........r.M.{.Cw......4O..0s.M(N.p.Z.@u..h2......]%......2..8a.9.^oG.......\Ul.......hC(.......nE.......l.c*>y..U..l.a.......z`.q&:..?....{m...H..B...=..6y.y..O........an.f.1yzT...2...jA....3r....R(..w.K...`.8:..y...%...e....%.....s4...G`!....w.'~H.E....6:mo...r..<(}r...TF...^s..`'.*.....~^l..l... ..<|.a..%C....t......#...X*j....7.L@..`=...... ....3WM.......O........F.E............xE.]....i@"....5.nM...,dt"E.Y=;vj+Z.].U.<h...*.0=}c.....S(D..jK.....o.t.1I...p....p....k.M..OPo.L8.......kr.VI.N'..mN..I..7/nl..e......h.{....\.c._.lR.%..3....Pj../...D..@.......%...1.AP..W.>.,..t.bWB.Ko_.9...$.}.#..1T..F..H..UL.....5.a....S..&..de.;=A.u...W...Y..}.A.T@.\.kN2..6h.c.... ....DB.PI......6..$1..$.C.....&...P..B.%.,.H"..D ..hx......h.^.c..&P._..@....../.q....q....}.....6... ..n

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):396336
                                                                                                                                                                                                                                        Entropy (8bit):6.250697507262227
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1fXwAmmWkxZjUCyC6ulqODyu+1QsF9K7SCHp5ZuI5MXd0XjkcdvCtUovOz6E8DnB:1fX7bwG6ulqJZaS5kzdKtUYOzMu2h
                                                                                                                                                                                                                                        MD5:B50005A1A62AFA85240D1F65165856EB
                                                                                                                                                                                                                                        SHA1:EEC370FA998AFCD06227DCB1BD5E6E2D36073693
                                                                                                                                                                                                                                        SHA-256:1867CF4FCB38F7E7FC98DDAD180C26A717360DF688A8EABD9F325FDE3C16F5BD
                                                                                                                                                                                                                                        SHA-512:63E664A8C12F27EF4C273330A8CE322CEACF12649C2BF61617ED8E394C43BF2CCAF1C2A14E2CE8807C11CE5EDD653FC7F942D0F4919923B37E1174A67393DBC4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5..........."...0.................. ........@.. .......................@............`.................................J...O.......(...............0(... ..........8............................................ ............... ..H............text...,.... ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B................~.......H........-................................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1459
                                                                                                                                                                                                                                        Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                        MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                        SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                        SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                        SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhW8:W9
                                                                                                                                                                                                                                        MD5:72133F8B7A6B747D14AD3D4BFF8CA002
                                                                                                                                                                                                                                        SHA1:476623D1CA063E5F7836DEC97384F79E9DD04786
                                                                                                                                                                                                                                        SHA-256:531EFE3FB7CACBC23B12FBEF7B426A3EEF4B4ACA64C20DF7637F4ABD46CF1FC1
                                                                                                                                                                                                                                        SHA-512:4292C7513F4843543FDDA960271E060648C7690AB48477FCE27C00220F5216FC813114078E64886AADCDD5FD42AD96DB447856C11FD5954D6B1596B744CD5F2C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=36.9

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190419076161021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:OPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxc:O2bYbYSWd85I5sSakFQhHL8G
                                                                                                                                                                                                                                        MD5:F64F56F2E4DFA797D5CB4B1CBA08644C
                                                                                                                                                                                                                                        SHA1:3C2DCA64758145239E2AEF45E05CCF6BF9A7FB8D
                                                                                                                                                                                                                                        SHA-256:F23BBB31DD11D74343840FF81E37F73FB891DE7E8C6596AEED2C405DBA97CFA0
                                                                                                                                                                                                                                        SHA-512:19181FCF32B176E9D24677DF8D740D5226F5A7D044DFB24725645C951F4F7682D9CA521F62E2420C814EF177BD20F0C470B54D1C710713F75ECC7F58F7C30CCA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ..............................o.....`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.996740439887868
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:t4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87HxsN:t4auS7S5Ea6WMcpu8I
                                                                                                                                                                                                                                        MD5:EF30D465678A904C773B58CC3B1AD66B
                                                                                                                                                                                                                                        SHA1:D08C5968C279790EF2D10BF2FFC1F2DE937ED4DD
                                                                                                                                                                                                                                        SHA-256:A5FAFA659C8CEC0FF892405939E3BB32269845D4509763ADD219C15E7D2A8710
                                                                                                                                                                                                                                        SHA-512:521E64502F81A789DFB6D4FBE545F76DFE32C7998222CE3002DCEBCE5550D60AF6F29C30F9A4B8B888639CAEDB8C718BA34D88BCCA782EF13E8CE3A81ED537BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...............................7....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.240212933460331
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Su2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrY1:fF+qo7mDEwj4NXLGcfgruFcg7HxRv
                                                                                                                                                                                                                                        MD5:E307CE14EC46071E8D18B6E281A4F955
                                                                                                                                                                                                                                        SHA1:2AA8E6FFF7346019682148DCBCEF44F72ECC4982
                                                                                                                                                                                                                                        SHA-256:E1E9378C07B6783755D1CB46115A1791651588BD172BD535630C306198D384A9
                                                                                                                                                                                                                                        SHA-512:2D7A23FF1D4837FA51E9C93FA0FAC0CE4F5C7744DFED28DD87C75CFF550DA121D0383F488316FF056E60C1068F59A3634E0B09D62065271B1773B73E99C54D4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`......9.....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.407791203959866
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:GQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCkU:G9MYPJS/16/E8/3A+++bF7Hx3U
                                                                                                                                                                                                                                        MD5:A36553BAC1F9CBF5ECBC13F7BB830E7B
                                                                                                                                                                                                                                        SHA1:2BDACF2F0FD7ED5F3E62E4888F0A9034E8882BFE
                                                                                                                                                                                                                                        SHA-256:CC527E9A3E527C9907D1AA00564057D070BA9B269B9FB2AD8D0F3DD380CBD3B4
                                                                                                                                                                                                                                        SHA-512:9B3CD927725CCA3B2159F91406EF472506348BDB9CF1066386E1DAD1E9C2C4F4A72BF7A936AC9694F259C9F73AFB71B1CC37F9B5C0B1FF3D0259D1B9BD3214B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155184
                                                                                                                                                                                                                                        Entropy (8bit):6.247738832262604
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:T0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+Ykt:IP80zukOltwWk
                                                                                                                                                                                                                                        MD5:CE4E3B687617A7C94D73539DCD89FA73
                                                                                                                                                                                                                                        SHA1:4C6519693D081D9F03503AA5CA3312C41DA3F981
                                                                                                                                                                                                                                        SHA-256:DF753760463622BBF573AD25AC4B5184727D1F232FF68A17A1601F39377DBB76
                                                                                                                                                                                                                                        SHA-512:FA0C76247E05C1577B767373DA659A4876B3B39DA20D3D0CE8A73779306C66FD3A2A032DCD47D11A79F1A1A2A93E242651F8650934CFB98C10D4E50F111F8F90
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.03083318319815
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:m1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sV:5Izm6pOIgvr7s
                                                                                                                                                                                                                                        MD5:A58985E020BB24EB28C965043EFBA9F5
                                                                                                                                                                                                                                        SHA1:709CB8780E30484A788EF6EADB8B76D30491F66C
                                                                                                                                                                                                                                        SHA-256:1AAED0562F7379F1998E50A9C0F8CBCFCFEE65FF2EF3C5DE2ACCD56764418385
                                                                                                                                                                                                                                        SHA-512:291CBFB3A468DA06CAA0D02B04CE5109EA3EEBDD1B4B0918D9AE45B7DB9FBEAE6842B35D4C9DF99373CAF54DFBED714577C959BE2C9DD9AA92FE2774860842C8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................HW....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:H:H
                                                                                                                                                                                                                                        MD5:99914B932BD37A50B983C5E7C90AE93B
                                                                                                                                                                                                                                        SHA1:BF21A9E8FBC5A3846FB05B4FA0859E0917B2202F
                                                                                                                                                                                                                                        SHA-256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
                                                                                                                                                                                                                                        SHA-512:27C74670ADB75075FAD058D5CEAF7B20C4E7786C83BAE8A32F626F9782AF34C9A33C2046EF60FD2A7878D378E29FEC851806BBD9A67878F3A9F1CDA4830763FD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.153514122272104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYy:+hpp9xxIBeXGfvYy
                                                                                                                                                                                                                                        MD5:B2F1B38E6DFFE1FE761A0865392161ED
                                                                                                                                                                                                                                        SHA1:D9196465705125A228494A28D5CE3F3F2C7BDB36
                                                                                                                                                                                                                                        SHA-256:8E958FEA067350A1957FC9E4F3052A1B8D28AB95D4E26A072BCEF0794FB8A398
                                                                                                                                                                                                                                        SHA-512:6E4B6BB945EF698F4552E229E6CBBB615060722D2D1E8F5877200C37C4EEC8AD683C61DA701CB9A09C79673ECA96AC8CAFC3FDF70BACD2C5507C4F0ED78BC1E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ..............................J.....`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071481963565208
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQU:V1n1p9LdRN39aQZUqF
                                                                                                                                                                                                                                        MD5:CA515F4F34826F5ED5A8FB7D3259FEFF
                                                                                                                                                                                                                                        SHA1:D31158793EBB4E0CBE957158F2E42754CA826A29
                                                                                                                                                                                                                                        SHA-256:5042E33133E0422F51382C273153295DF814E5CC2FF2A4FD0D973B4AF54D4933
                                                                                                                                                                                                                                        SHA-512:1336E658AE6097598F3508424085AD288AF4B60D4FDB821A10BAC712492652F7BB06F3E53556CCBB7425A63ED48B53D368481D1F142E6B58FF7C4789737A3CFF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ..............................n.....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960477572931558
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU/:hBA/ZTvQD0XY0AJBSjRlXP36RMGK
                                                                                                                                                                                                                                        MD5:EF06D200D340C9798A006F304119BA82
                                                                                                                                                                                                                                        SHA1:C08B838DAC97CD1376D934FB5ECA982BEB19D493
                                                                                                                                                                                                                                        SHA-256:88C838B4EEDFF929AFDABA2BA808775B1979C5C9BD7AAED36525CB1A41D8A8FD
                                                                                                                                                                                                                                        SHA-512:E67597F90A504A1B7C6AE838C8F82BF9928D49B22E896592623E9473147F8C05B974E86567E40D93D9C59602843A532034ACF5BAD2EAD78962AC2435A63E80A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......K....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293424
                                                                                                                                                                                                                                        Entropy (8bit):6.121578040837099
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:vdmT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yt:vdc7N/WkQHr64t
                                                                                                                                                                                                                                        MD5:C329213E3BAAC31E55B7E57C9B5692C1
                                                                                                                                                                                                                                        SHA1:C858EFBB991254A929A0D7BCB1087628501E6DC7
                                                                                                                                                                                                                                        SHA-256:38C66E322E92172722E36001F2C9E6151655CFFDA8D78BA730B1878FAD793FF6
                                                                                                                                                                                                                                        SHA-512:C86F49F789B40E4EEC295CB652CFC63FD5C87E51029AF975AFEFA86C57BB6A9E52DAD54993FB7186ECE73BA905EF43C50E11B85F221EBC59698D8E1845FA90BC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................`.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190744437011799
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:qSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYE:luQlBAMW0BvltxZ6h
                                                                                                                                                                                                                                        MD5:D6F46A4CB8CEB824CD1763B62B8F71A8
                                                                                                                                                                                                                                        SHA1:9FA3A8318D93CBDA86D2843B0783CDF0E7B28D92
                                                                                                                                                                                                                                        SHA-256:66386C99B4BCF568C95E93B11E5E89FC78556924C5BDAC9644BCCA7B04291542
                                                                                                                                                                                                                                        SHA-512:4B720C78E8B3316EAE4FD0BE2499173246AAD3896ED7AF76124A8E565977C27197C73D61474ABA34264F18D5C4BCAF1B51070484CE093814E3CA6C2804AE419F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................f.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117480150640407
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:PZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHNS:Rgo0WPVTXgg
                                                                                                                                                                                                                                        MD5:74DD74986D9708CFA8F4B4F0D005B604
                                                                                                                                                                                                                                        SHA1:55C85D2BD0ACD3E14ADF6D442670BC7F3DBBB803
                                                                                                                                                                                                                                        SHA-256:7100B1A666B0AA99EE5036E23ACC1BA3CFF2E7B2C73A2EA72F5359374648349E
                                                                                                                                                                                                                                        SHA-512:6CA3A9F1D10B4C492ED4902631C38F81001BDF256014148A7628166BF1932BBBC9DDA570A295C99F918818EFBA28C82D1E33C1532A2EA8163027C14351CC4ED3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................0....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.679229646565206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3y/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqUeaT:3uhMaVmzDC67EpYinAMxCuT
                                                                                                                                                                                                                                        MD5:A4EFAE23A302EE53F0A81FF5B3523292
                                                                                                                                                                                                                                        SHA1:EBB0ADFB9771F4CD61A1D0A9CDFE16CE5621A304
                                                                                                                                                                                                                                        SHA-256:D1D0C53044B2BF85F5B19CAF709BEFFCED51397AE94C37F14EB94E915C6446DE
                                                                                                                                                                                                                                        SHA-512:E77C1CEB40F69342C742AACB07016EA6ED5AFB36949E00E85663EA15996C62E019959FDD44E9E0D468C91DBD89CC8EDE10CCC9F242DB7D6C87D2A6E24E6691FE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................3....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):409136
                                                                                                                                                                                                                                        Entropy (8bit):6.098144476210718
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:qPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1j:06heZBJm333M89QAy
                                                                                                                                                                                                                                        MD5:D03824AAFFA4923C80E6D8B716D8430E
                                                                                                                                                                                                                                        SHA1:06CE0C7BAFB16D3E92B35444467DB7DE0A6C7C84
                                                                                                                                                                                                                                        SHA-256:7782C0F86CE42101799CA9828FABA1798230734D17990637040DCF15F3617644
                                                                                                                                                                                                                                        SHA-512:59A04EFE8423402F57896ED8D70419ADDF52309024606B35E485E051D21076261098DCBE5F7AA7CE5F8BFC93BE992E94A1AE07102F810B9B1E020529C52475E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ..............................SO....`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.2347643754291555
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Yzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWZ:YzpjF0/t043e3vggr83jMYa/hU7HxVZ
                                                                                                                                                                                                                                        MD5:520478C4C71D99D43989786250EB4763
                                                                                                                                                                                                                                        SHA1:748AB4CFCCDB28B46E8226115C88681F72C033FE
                                                                                                                                                                                                                                        SHA-256:9708914775950619C1F13B1871CAA6FA7874891985E249F82AC60862C68746A4
                                                                                                                                                                                                                                        SHA-512:1C851D77617A8059491A1F02F81A27F8AE19CCF6EF925F63301F2C20B190BD35CFD60858121F7BA57301684A4685C87F25089040A67D1EB421A4B82AE8403B03
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................e.....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.179821808998386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:+P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlY:+h0qjC5RMOHO420kN1j
                                                                                                                                                                                                                                        MD5:684D6E74002F9691D8CBCB135B6717E2
                                                                                                                                                                                                                                        SHA1:9FC0F5E7AF66ACD2BB0316BF28E9CC0201037EE4
                                                                                                                                                                                                                                        SHA-256:B6AD62636F7224EE73ED95D2E14EB089C34D40BFD2BE21A4C9B02D34CF3FA3E3
                                                                                                                                                                                                                                        SHA-512:76710039C919E70A551E7768C230732F71A069DA34B8BDB7B9D2B853FA9001F3D37952A90E47373F53C8D323E9CAF6726F319FEBA632C2E98F5E06716B1C8EDF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......M....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.673219933457599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Rh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBAj3IR:Ry9eEpYinAMxCAcW
                                                                                                                                                                                                                                        MD5:ACFCB0A7B3FD1002A8FCD0FD5D65F734
                                                                                                                                                                                                                                        SHA1:8507B9A8EE31430F75678470F5FA06337A76A5E5
                                                                                                                                                                                                                                        SHA-256:98A4333A188E2E88F115C5F8DDADFBED3924900C1071E3226FA5B16E22FFBCB8
                                                                                                                                                                                                                                        SHA-512:29301D054651817479EDD71E80BA4FB2E3CA449A70D7720017DAA3CF6EA2B1390E56EF763C9C9A97D099A0464439923F48D99AB0EFE2FB8B3308BDFBA7708E9A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................[....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.334413974319615
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Sn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCW4:SnvXYcIh6yFIFBYpc47HxN4
                                                                                                                                                                                                                                        MD5:0362AEF9DA024E41795F98D8B888E955
                                                                                                                                                                                                                                        SHA1:53FC9E81D01A7C97D57B9E9ED9A3872EF1E81F74
                                                                                                                                                                                                                                        SHA-256:FC5600A53DD80910B63651E9C5B3B0CA82AA5C53529F4AA0964D21BDC4C64F3A
                                                                                                                                                                                                                                        SHA-512:F65C8EAB66C5C088FB85F16914D18ACB0E2B9B201BD37C5D30B8B0FD2DE2D0AD48C74912C4293ABF611A6A64FD76B3B9B61502993C9EA680723B22A3ED88A612
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.95553243429679
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRv:R7N1r9KGI04CCARLv
                                                                                                                                                                                                                                        MD5:F25FC027F62B2075901A6677EF81DC17
                                                                                                                                                                                                                                        SHA1:A7DAC5819431ACFFF9E91BCE7C6371B2A00507C5
                                                                                                                                                                                                                                        SHA-256:39CA7203DE9D6D026F5F1E27F00A5CA28133C0494E6F2E3ED55DD2F4F0893238
                                                                                                                                                                                                                                        SHA-512:2E51930198A5DA863A4B718A3772E88532EAE7C0E2C432618B3306F40AB141B6E7435246FE578AB7CABBA4A6BFC674F690484A27793965A6FBEB542F66BFBB40
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......C.....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4019
                                                                                                                                                                                                                                        Entropy (8bit):5.259113754285659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ggDOJg8O/gFO8gYgOVOhVWgBNNXzHSxBNN4zPzRlXNzSPeZgg9dSjedcdS4dS3wH:h7oyH8afhbZh9A6qA4AAADjAN
                                                                                                                                                                                                                                        MD5:614EE5F03D847EE42B4286CA09DD2ED4
                                                                                                                                                                                                                                        SHA1:8DB6733D38E4BCA06E46D3F98E47E7BAE1A16326
                                                                                                                                                                                                                                        SHA-256:BF2080A435F089EC64EDD5EB5348BE51698D07713E83903C7A498C48370ADF85
                                                                                                                                                                                                                                        SHA-512:680BD46D139C51A3828B14295B81D3CAB170B75A5EFC2F99926EE16B8024E1866C9D298870C1364830D456F0B6FA93C388BBA0D4E760208E702CA949743260F2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-08-05 16:19:17.3251|ERROR|WindowsWindowedEventLogProvider|Error on retry number 1: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-08-05 16:19:18.4970|ERROR|WindowsWindowedEventLogProvider|Error on retry number 2: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-08-05 16:19:20.6689|ERROR|WindowsWindowedEventLogProvider|Error on retry number 3: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-08-05 16:19:23.6845|ERROR|WindowsWindowedEventLogProvider|Error initializing last processed events, ignoring file, exception: System.IO.FileNotFoundException: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...File name: 'C:\Progr

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 20, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 20
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):0.9463428589811985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:Wu5C4OoNSN1eN+5NmrEZDzWL8OO7QzyO+py:j5PsveM5kEtzy8OO7QzyO+p
                                                                                                                                                                                                                                        MD5:D6475B8E8143D5FB26A2B9A73F2B75A5
                                                                                                                                                                                                                                        SHA1:66F646D15A92769F4CFA069BF8F312299CCBF60B
                                                                                                                                                                                                                                        SHA-256:3F25D84BFE5C1DA89EEB041C62A223E7CEDA748F0D7C3B358649293DFBF4BA25
                                                                                                                                                                                                                                        SHA-512:3AFBBB820E84F54751DE4E9AD7EC5895469802B07E8865C7F847BC3883A1F080268480AF436ED6132F316851E030B77FC9E4F0BF3270C7FB07CB24E98643CDFD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8720
                                                                                                                                                                                                                                        Entropy (8bit):1.898441455285752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7MOqcFu5C4OZUlFJNGdNGveXXQXN+5NG1ZM:7jfu5C4OoNSN1eN+5NmM
                                                                                                                                                                                                                                        MD5:CF3219F87587EC56D341182BA04A46CA
                                                                                                                                                                                                                                        SHA1:2F3E59B2CC7FAB4575A4CDF04CAE74B35924D8A1
                                                                                                                                                                                                                                        SHA-256:670C8BB364F27DD7CF68DFCD2E6535565FEB4F00EAB465558DCC48684842FEE5
                                                                                                                                                                                                                                        SHA-512:0A20B0EE3A5C9A786C739C1D959C6CA8529BBAA8002456AA576355AF9061FDE04ADCE3D7A5E8CDE2D655B23259D06D8BCC82BB63230E2155D94FE982741EDEA0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1799216
                                                                                                                                                                                                                                        Entropy (8bit):6.5204766374461345
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:JuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFYm:oHmUMohVWpu8ul0UkTgNCfyo3d
                                                                                                                                                                                                                                        MD5:D066C090D3416A1D082902E0A7EADD06
                                                                                                                                                                                                                                        SHA1:57B66D2450BC314003510657A6309F9921081EF5
                                                                                                                                                                                                                                        SHA-256:820867ABD8E1D48A769C6D8F8D8626CB2D9E492D71ABFB47F4BE7BEDEAB93C6E
                                                                                                                                                                                                                                        SHA-512:F0839808A716ABCF4BB392E4BB1B2D664D004FA519048C94FBA9623481DA87FE023DF94619A184E0F7F91DD02F63BB8FAC1013D09894F000661F438EE631C4C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................P....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1475632
                                                                                                                                                                                                                                        Entropy (8bit):6.7918990024107115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:BS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8q6:gdwXpQdNVNDQubXyi60jXTW98q6
                                                                                                                                                                                                                                        MD5:E0C12F374C3CEDEED79A92B5279F838B
                                                                                                                                                                                                                                        SHA1:0FC4F192B32E9FC6C9FF24B9CB3129CDD925C845
                                                                                                                                                                                                                                        SHA-256:44FCAED823205977E5C1F6654C66EB9F51351F10B572CE6E914F4866B6D7B433
                                                                                                                                                                                                                                        SHA-512:AF965E825DC88BDBE35B9E7FC4A3FE360E9DE7751EE074E899BBAEF00FAD5158BB9E7A023D5FB79F0562BA4A30648A15C6B4AF363239B82FFC0F72C12BFB1095
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@......................................_.....@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2898016
                                                                                                                                                                                                                                        Entropy (8bit):7.99870723886616
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:bhJujJ+8s8tJmFOZQseMG7UWhb7Bw+9Tk9Vx4kvKQReXZTR3H1JFEBh6NeboC:bujJ+GJMOisRsTxw+BUVEQReXZN3BEiu
                                                                                                                                                                                                                                        MD5:2E47FD6E7C5A7903B0FC0E2560585C99
                                                                                                                                                                                                                                        SHA1:05A0E44101BDC6B1EC954394ABCD50F44394BD7D
                                                                                                                                                                                                                                        SHA-256:3B9F52357457305F3D462BAB761CDCC760D95A08A20EEE3FBB1D293E22C501C0
                                                                                                                                                                                                                                        SHA-512:B66A2A551B5C56B5A26BD2D1F2E4B8F90CD7BB6B712A96C0F5C38BE7BF50A9DE871F3597B13A34943BCB8F79575E44289C5457A12AABE77C1FEF01BAB71540CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-..... B.X..U.........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....0r.......>.......YH...(..^..../..\..o.....Z.[.C .]....'...7.ym.qsSgc......[.e'J..e....R..XH.r..d..QU.|...A..2h.&.6-.....2.%.........fJ.p...My.f.].T..K.<;B....y..~...7.s.M..D..\m&..+..-.0.Z...[...@.M..a.....[?.n7.....f.5S.I...E..`..sf......._=.-..x.Ujc.oM ..5..g.....O..V.....fv.....LU..,~.fN....9..0.b.M6...3+...|o...4.GA.8z.........c.h...A$..9...sV... eB...T..8..$.......T.fN%..A.xn.G.....S..Q.x...z...z.+Tvx.!w.%...V`.?......W.)..*.$..2(.t...1m............D....o.B.....DUq..{...~."..[M7.$....8....Q....9...j}.P..)}.\.>..'.. D~.W.m...X.....3*. ^S..."3..Zn9=U.d..1).j..y..1u..p...Dm.<z.wC...J...^}ou..JxX..2.9.z.....w.x.:.:th...u.uE..0zC....N....+tw...=./.z.0@3|.H!.D7.......OZ.`Q.....E..A.k..wo^.....[<..{P.N....@....qs..x#.L.Q<..w~.F....{..<z...eLJ7?|O.s.(......E.....a/D6......P....N.O6=DuE.......*.......7..T.....\....Ef%..'..B...v...s.`w..&...3.I.m.8.W.2'......j....b

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29232
                                                                                                                                                                                                                                        Entropy (8bit):6.341743761377435
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:spYIrBWGYPHEUePsnhkgGIW7W8feKWDpQNbo1JNyb8E9VF6IYinAM+oCMTKA:STrBL3Ue0FSTuKbo1NEpYinAMxCcv
                                                                                                                                                                                                                                        MD5:5E01CEC9F412D5A38D55F08655613E66
                                                                                                                                                                                                                                        SHA1:5EE3642709450161CD0A0142F3BBF80A1BB14FE6
                                                                                                                                                                                                                                        SHA-256:7ACCEAE6D205AD9CA29C72D02D3BAC335D33D06C428CCBA50BF33A4780EC832B
                                                                                                                                                                                                                                        SHA-512:9AC8B5AA7E7C9606205654933889215F29D7058B4932995412FF99706B318D44ABA98F38842CAD4CB9337BF9DD33D11598034DFE01AFF0B40E1290F0A08AB029
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*;............" ..0..@...........^... ...`....... ..............................{h....`.................................9^..O....`...............J..0(...........]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................m^......H........*...2..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1919
                                                                                                                                                                                                                                        Entropy (8bit):4.980638040615789
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:327h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:K4cw9n
                                                                                                                                                                                                                                        MD5:70934BFD2D7659E71CA6A5476C0EB675
                                                                                                                                                                                                                                        SHA1:9B1611D52D3B15A3EF0A5DB4FDBEF94BBD107379
                                                                                                                                                                                                                                        SHA-256:24FECC645D7EF3A69CF81AD72DFC95CDFC4BB313FCCF77864C9A47C69B5DD928
                                                                                                                                                                                                                                        SHA-512:0FA54C94D4A52A95F4A002062CB858222EA64D4FD8E8EF51725A440CCE9F64514DE12DFD60C41435B3B8DBA4AB80363984FD8E8350B5A9B0B75EB90044F14324
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):197680
                                                                                                                                                                                                                                        Entropy (8bit):5.738768519079045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:R0fBJtxHscCEdeLq5+zDwtwF3yaYx0T2tlwg5rPdZiqiTjXZ+V7c:i5JccC1Lk+CwRyaYrweLriqiTjJf
                                                                                                                                                                                                                                        MD5:D3DB1B40EB62C5E1ED9A8AF5065C7FCB
                                                                                                                                                                                                                                        SHA1:5193EAB51BB2ADD9995B59FE2FC890850163175A
                                                                                                                                                                                                                                        SHA-256:B53A2FDE3AB87516C5FFB885D8390DB4291B4A0AE979FB6158D22D501B9C4999
                                                                                                                                                                                                                                        SHA-512:2466A02D72C05429173A07AC23C824AE137FA501F0C5219CFA382A75CECF2B595EB88899271FBBC2B3329C9A7DF35701806C6A2DCCC49688A4059E79518A1486
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0.................. ........@.. .......................@............`.....................................O.......4...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H.........................................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1782
                                                                                                                                                                                                                                        Entropy (8bit):5.026919218581437
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrb7h+1/gYoSagFsg+w327RgdSg+CjdgDt:7rn44woR
                                                                                                                                                                                                                                        MD5:F0A8DACF41AED1B1084D1D5157DE3C8D
                                                                                                                                                                                                                                        SHA1:02D4EE2B81AF8E9626571EFDA122849B804CE29D
                                                                                                                                                                                                                                        SHA-256:09C69F2CCC14AD72805AB1360DB7D5AB486D99C5E55DC8B5F54695988811FF80
                                                                                                                                                                                                                                        SHA-512:A6F1E6BA01179DC9AFBFE04887C288142FEA9BD9A593E54977C7F050A0B0EEA96D26EBE3792038EAD56467AEBD325CF7904F3D2B4206B3FE40FB468437A6C4E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depe

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhU8n:Wrn
                                                                                                                                                                                                                                        MD5:E9AF22B3FF345802876478A24261E3AE
                                                                                                                                                                                                                                        SHA1:4748C6ABAF4188E263BD09428A86FCC3A90581AD
                                                                                                                                                                                                                                        SHA-256:9DC1086381A133FD8EC88A4A93AEC1AE11D9D5EC6E024C43D12747E2D2CB7E37
                                                                                                                                                                                                                                        SHA-512:1875C4D097CC718E4C2EF0277FFDA4F9E56376B2EE280AC3570769D1C56EFBBC8451ED3D2558487816BB09E49298C18CAE5048386469ED592B7CFD4DE61625CC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=19.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95792
                                                                                                                                                                                                                                        Entropy (8bit):6.181929039762044
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:YQnbrNqoXFbuhpLHbTOgmAB4+n3uRw1FlQRd5JY4t5A56y0sDrUfUPrhZwLlf7HO:YQMiwLWgmAC+neRw1Hyd/YC+56y0sXUK
                                                                                                                                                                                                                                        MD5:EBFEC0451858E06C94E3C04ABB8F143B
                                                                                                                                                                                                                                        SHA1:50AB6CC44E2FC39C20179235D6159DC00628DE2E
                                                                                                                                                                                                                                        SHA-256:0B82075C65C102E785783FC43105FCB0F5D4DE6BF19E8C96EB00386303C63BC5
                                                                                                                                                                                                                                        SHA-512:E0BD59DBF13646228609596282DFF0495F8321A839263784091EB5DD59F6A3E787628E3A87E4F88CAAB3F11301E4820DE7F6BDA65297845CA0EE5B63BFF47AB4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K.d.........." ..0..D...........b... ........... ....................................`..................................b..O.......8............N..0(..........Ha............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........i..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.9966241796933835
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:H4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87HxsZ:H4auS7S5Ea6WMcpu8Y
                                                                                                                                                                                                                                        MD5:C595E1747472EA7AC391F12BCC893931
                                                                                                                                                                                                                                        SHA1:D59FE9B8A56DBA868EC11F697376743E3F1928D9
                                                                                                                                                                                                                                        SHA-256:D2FB22CE7FFD674DE2A7C112AA4E25E759625F5D7E9D3CE9D5D3F03E5FB449A6
                                                                                                                                                                                                                                        SHA-512:82D5EF351ED1CFFDC8C60E29E55F3A9A506FD9E29095FF7E80416F48302F731A0FEF258670F3E5EDBDE91608CFE3AB399DD4C9910106649B67253E2D3FD0B930
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................M.....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.655281618539752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:kXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl501W8agf:kXh+tYmNyb8E9VF6IYinAM+oCaF01bp
                                                                                                                                                                                                                                        MD5:EACD8E8CC64D8CF18176C7F54E07BEA7
                                                                                                                                                                                                                                        SHA1:76BE2A4F170FD657A1DEDD7AC08EDB5169FEC53D
                                                                                                                                                                                                                                        SHA-256:E81502C7A369F5C4F22871913303A3F5779D8149CBC815A65EFF2E177D3194E2
                                                                                                                                                                                                                                        SHA-512:B23E5E02F04A4C4A3331B96B82165B2C93BCDB49D72BEB082ECFEDFDFA4A17E846250DE09C40B5F2F3A2DEBF2266C42BF857536E62AB80405B3C510BCB37D1B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.241314253152225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:cu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrY8:BF+qo7mDEwj4NXLGcfgruFcg7HxRm
                                                                                                                                                                                                                                        MD5:E7955EB00219F6DF15595AF83E6B5912
                                                                                                                                                                                                                                        SHA1:DDA137F9934855AC01CBB6E642A3590B6D61F264
                                                                                                                                                                                                                                        SHA-256:904F044AD412090C9D781140C9EB24681F3E7F8977348DFD11B1E5127437B1FF
                                                                                                                                                                                                                                        SHA-512:42FEA5B98695F7BD014A20FD7735D29F5D8014A749F4AA2E0D5867FDCED2C8A6C4DD76723B5FB189EE5AC7F03659349A1C8873041E1E1428A9D3BFB9476672A2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.4079299745036415
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:SQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxC4B:S9MYn1seLE8JFMLcyMH7HxP
                                                                                                                                                                                                                                        MD5:99CACF67586A7852034EA978459D9CC1
                                                                                                                                                                                                                                        SHA1:886D48B997BCA6C1B4979AD987252DB057FFB5CF
                                                                                                                                                                                                                                        SHA-256:4A299B02FE5480ABA846FB3D6A9371A9A421D344CC73C1F4E089507E94399772
                                                                                                                                                                                                                                        SHA-512:6BC93871AF74795EB55793AF01315E2667B25E2BB1AF88A5EDB07EEB3D095BF0D328160D74D4E4CAD80E4B2D069C20B469398D000B1B21719BF8E0574C0DBA15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ..............................b.....`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145456
                                                                                                                                                                                                                                        Entropy (8bit):6.203986185627556
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhV:F9XeDmzV2yzlhKLFU1lLVp1+2flYFsI
                                                                                                                                                                                                                                        MD5:8CE7F0526F210C6AEDE0BADFC315CA39
                                                                                                                                                                                                                                        SHA1:F28D793C546C7E5A1EE31C175062B5D65D1491A6
                                                                                                                                                                                                                                        SHA-256:F43EB2CFEBCF3E88343F1D8AA63986E18EBE5786477A6D9C0D9FD5DD67C9FC61
                                                                                                                                                                                                                                        SHA-512:522F59BC331D65B4EF9ABCCA822CD1DF25654C2DAE9EAE0D842745693A5AAE70DD09B10A20DF27B87D84954FC037B93DFF3FF35107A3492D5E9F125C3C09B1E8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................+....`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96304
                                                                                                                                                                                                                                        Entropy (8bit):5.634402313591911
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:l2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhL7HxxJJ:GQmyxL2L4D+YZL2X7SAaqywjhLNJ
                                                                                                                                                                                                                                        MD5:767A640C2ED7D4599A2EAE5A707481D3
                                                                                                                                                                                                                                        SHA1:85BF386C7DE6B2A1FB074BF752E1C237D7996F6F
                                                                                                                                                                                                                                        SHA-256:2FA0CDEFF13FC33A899BC822FE9CD4AEEF051EA80853C2130107A8BB5DCFF2D5
                                                                                                                                                                                                                                        SHA-512:6C37BCD2B64D908B8EE891CDAB4CD129743BA51F01EA2F403BEECCEE861FF52EF95205C54BD37C9F8168F8AEB58D5BCDDB4425749CF68AAC2FC4A7A63CE0A2F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ....................................@.................................47..W....@..p............P..0(...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308272
                                                                                                                                                                                                                                        Entropy (8bit):6.107077348487476
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:bQ8wCKFMjHq9bRwkpHNddKmTtYZo4smxTC3LnXNXa35/ZmvYO:bFKFMFySZIBHvYO
                                                                                                                                                                                                                                        MD5:BB8BE1A7C7F254ED882DEF01E2520E1A
                                                                                                                                                                                                                                        SHA1:B84BE832C23F22F68CA6A75EA2489BF41C6647DF
                                                                                                                                                                                                                                        SHA-256:92C508D8330A9F560697D3AEED337A8CDB240D376440A6C83B6F5EACFC865B5C
                                                                                                                                                                                                                                        SHA-512:3E94E26A0FBD5873133CBF9FB8C8EA942113E56AE12C447D9447258604F4AAA27E9E0DB35A61ADD979B76F50AC8BB759E69C37729B1093530472124A8696435C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\Q..........." ..0.................. ........... ...................................`.....................................O.......................0(.............8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H..............................\.........................................{+...*..{,...*..{-...*..{....*..(/.....}+.....},.....}-......}....*....0..k........u......,_(0....{+....{+...o1...,G(2....{,....{,...o3...,/(4....{-....{-...o5...,.(6....{.....{....o7...*.*..0..b....... ...u )UU.Z(0....{+...o8...X )UU.Z(2....{,...o9...X )UU.Z(4....{-...o:...X )UU.Z(6....{....o;...X*...0...........r...p......%..{+....................-.q.............-.&.+.......o<....%..{,................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.839306386716968
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JN9VWhX3WZNyb8E9VF6IYinAM+oCF5W0l7:7G8EpYinAMxCD7
                                                                                                                                                                                                                                        MD5:2EB6BD39EE0651784A411E0A644B8D5C
                                                                                                                                                                                                                                        SHA1:6CC149629D3BABA869C6BFC0E9FA9CEDFBD1F3B1
                                                                                                                                                                                                                                        SHA-256:7A577DAA81C99D256F557779C98F2695358C43ADA875DCA59E60366CCB1CE43A
                                                                                                                                                                                                                                        SHA-512:EBB6B5AFCD4AE1F1200343E953D9D84BAAB6958E270D7311B1ECBE5EF93166110A0A462396CCAC136AE8AE2CC73F996C3B851E4157ABE61EE18629B4BD910EE0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ..............................I.....@.................................T(..O....@..0...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331824
                                                                                                                                                                                                                                        Entropy (8bit):6.168915352000041
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:UBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTK:UDMUWITZznu85k8Wdn8KmCjIFi3Vve
                                                                                                                                                                                                                                        MD5:6819F098261F19410482FC67B4839519
                                                                                                                                                                                                                                        SHA1:06EFCEF815477EEA452BF5ACA9B233AA7AC3A0B1
                                                                                                                                                                                                                                        SHA-256:B8606AD9328AFD498DD32D996D86DCCD7869D570303ECA134979F9D86A65F361
                                                                                                                                                                                                                                        SHA-512:7E3623E49ECB5C39E5A8877391A78E9B1A273A1FC62E4AC71CE6E2003F460AB34A594B09034D9E737A963C2ECE023CB599EC4A38F7622C244488C28721483559
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@...... .....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071473112829393
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:21n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQH:21n1p9LdRN39aQZUqS
                                                                                                                                                                                                                                        MD5:7B529CCD5EE98E3569B5D26B9E8CAA0F
                                                                                                                                                                                                                                        SHA1:2285B8177814D6A2A3E17CE901E629F536D2A088
                                                                                                                                                                                                                                        SHA-256:BCEE13BE001D01FA6DB4BF7556ECB33DF4494ACDF9E2795ACFC16DB252DA5461
                                                                                                                                                                                                                                        SHA-512:59DD42D7ABB10A93BC02728B85FE443AD73FDF57A5E62D51C4C7AB022514D74B51694F83CFA8EF6191094514B9537F1B60DCE251C35216879917CF01A5396FA7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.9604634417081215
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ABARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUn:ABA/ZTvQD0XY0AJBSjRlXP36RMGK
                                                                                                                                                                                                                                        MD5:7242ADA3B827C1E94E6D2C760DCE19D7
                                                                                                                                                                                                                                        SHA1:EDA8AD330719965A6DA5D485CDB6EFB14EE96503
                                                                                                                                                                                                                                        SHA-256:10A19B5C3D7B15BDFFC99B0743642CDE19ADFC9590CA7C2322147F44FFB7A7FB
                                                                                                                                                                                                                                        SHA-512:16ECBB3BA706853BA84B738FFCCB9C6EF50C38576CD8AFAAE9F8B6B746B9600D4EC37E1AF0999C5927BADD260704EAF4FC63DDF4C20EC6044CA1B9AFEDD676D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......(....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285744
                                                                                                                                                                                                                                        Entropy (8bit):6.184807290251627
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zb:sZU0BJwuOcrl1w7HX3HWO
                                                                                                                                                                                                                                        MD5:D0E617BD90C283D09E7E98B21489CDE0
                                                                                                                                                                                                                                        SHA1:A52B4574C0269613678F080FC71C9ECFEBA9AA1F
                                                                                                                                                                                                                                        SHA-256:6DC57489CF43418FE8B01B194F2665D70739EF56C7682EA446B699FC63DEA5B8
                                                                                                                                                                                                                                        SHA-512:6CBD55AC06B8B285237D84A72E7CDF6C48F1771C1FFF5C5D98A97C29084B909F97573EB3899243CDE104A5A0309BE1F592EC38120C7867B7F55A164BE8D2D977
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ....................................`..................................G..O....`..L............4..0(...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25648
                                                                                                                                                                                                                                        Entropy (8bit):6.5615246242097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:bAQk7qYbU6fXOpLk5LHAxOEaGUBD3Nyb8E9VF6IYinAM+oCGgQV86upC6:goLOg6BD7EpYinAMxCm8pR
                                                                                                                                                                                                                                        MD5:AF58F5E926396D0E2B3D79A222B03925
                                                                                                                                                                                                                                        SHA1:D057EE1FD67F9A1369DB932DF50D21AD88192821
                                                                                                                                                                                                                                        SHA-256:C07AB9144981AA62A95E75B6BB0837A4572079867E04A92790CB1E25E1D38B80
                                                                                                                                                                                                                                        SHA-512:AAC566EC589D125C076057C2F79CF562FB55295A4FD4789B9839C751F6A16F54D78D98D811FFDCD589CCC775CC92D097B8B295F3414F50158DB7A6637A96C3B8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..........."...0..2...........Q... ...`....@.. ...............................1....`..................................Q..O....`...............<..0(...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*...&...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2029
                                                                                                                                                                                                                                        Entropy (8bit):4.99666085039448
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3Ar+z7h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:wr+v4cw9n
                                                                                                                                                                                                                                        MD5:A8C16947BDB4CB8CF1CF491FDC02B223
                                                                                                                                                                                                                                        SHA1:5CBEC67AF9B62D270764E5D6C0964881ABD6FCBE
                                                                                                                                                                                                                                        SHA-256:0F53AF9459BFA13AB9F911AE5FDBFDEEB0A5AE48B209E117321984E409413F06
                                                                                                                                                                                                                                        SHA-512:791153552D64F1315C42F794D7C3BD9AA90F8C62D547197EB555A9DF6E08EAB1FD93921FC1FAF5015291FDB4A4173137A93FA7964E8003EF70EAD11DE10C2DE4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </depende

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):210992
                                                                                                                                                                                                                                        Entropy (8bit):5.348248764493682
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/XLNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z5D6k:fLNkrE4AOqcIzQijL/
                                                                                                                                                                                                                                        MD5:9CCD9FB2124027F5CC0056D81AB00ED0
                                                                                                                                                                                                                                        SHA1:F281EB0A03A64E44DB7BE9CF304BA9E35C297D9E
                                                                                                                                                                                                                                        SHA-256:50D5885A0FA757A7650F5EA9604701F16168F3F903FA4258C416B896068CD7CE
                                                                                                                                                                                                                                        SHA-512:53A85490F28DC5692B9EC382014DD57FDE57A46F7DB2D78EF587116BC7658E785B7FBBF14BD3DFBE7AC80FCBC54002B1B2DCA1F14BF17E720884F304543C9151
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..............;... ...@....@.. .......................`......9L....`..................................;..O....@..@...............0(...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19427
                                                                                                                                                                                                                                        Entropy (8bit):4.994540973244801
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrg4wdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrdOPUDCTHffIz
                                                                                                                                                                                                                                        MD5:04178686B6E5E58B69F7DFF5C6FD225F
                                                                                                                                                                                                                                        SHA1:20E38E9E8B6EB9F182729E51710979250910798F
                                                                                                                                                                                                                                        SHA-256:F260BB0DFFA0C3969D7DCBE480F4502DD8C1696FAA7B9019247EC91C6B9778FF
                                                                                                                                                                                                                                        SHA-512:18375EA01D4B3F2CFFE413472B7E736CCEF0024A403C920A17D4E0F1A69F06347B80358AFFF4314EC6A5B9A02E50E850F94585CBF379843C07FE15883FBB2D50
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKey

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117089192355007
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:mZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHr:0go0WPVTXgL
                                                                                                                                                                                                                                        MD5:01507D157C6F85EEFE5A02CFA04C71AC
                                                                                                                                                                                                                                        SHA1:E7FDFAA47375345A355BAF1D8243196E0E413C8B
                                                                                                                                                                                                                                        SHA-256:3A3BC2FCF4BCB7DB66845AD9CACA3F75734373E03679F6C9A5893AD6D8C9BDAF
                                                                                                                                                                                                                                        SHA-512:648B1432B22D16493193A1232B34084AE93EF18E00D6E9081383DB560555C689742EC7D946A19AFF0A43478FE8422995997C06A4B1F796555B069FA5F9300C0C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................@....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8082083149017505
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ljDNxWQFWHNyb8E9VF6IYinAM+oC5+wBEI:9DNVwEpYinAMxCl
                                                                                                                                                                                                                                        MD5:CCD36031B00D5200B07F9A1D9E4FB292
                                                                                                                                                                                                                                        SHA1:6D1FC82131FCC294983761DDDFFD95F756711403
                                                                                                                                                                                                                                        SHA-256:8BEC1A8B018DAC93D1495221A71DD6EF88DF4303D33B34118086AC668B87201E
                                                                                                                                                                                                                                        SHA-512:724D367F7DFAAD7648BFAAA804B245E8B228E6B835F1DD3F40A913B96AE5B52DB5FD65764E099CB33588F77F257AC5BC07DC5B2CD186DDC262F8A73131759186
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ..............................._....@..................................(..O....@..................0(...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.672156046290606
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:jrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAgVuGp:jrMcXP6gEpYinAMxCFuGp
                                                                                                                                                                                                                                        MD5:447A02BF8CB2F5B74CD969D49368DFA1
                                                                                                                                                                                                                                        SHA1:7837448EF402B337F72D88753517D066C4775776
                                                                                                                                                                                                                                        SHA-256:F8514827ACF9E3E31F1591B5C9FEF70E1B84B6A13325B54E0CD6192A432EE136
                                                                                                                                                                                                                                        SHA-512:2754CAE9579539CD6BF4B41CF18916C557E3437BD9162ACCF406E64DD61ECBBB6C12067C54980A3F24C931EF12ABBFC12916999BF571CC900E560C6B6F39CCF4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.906708063624447
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:+m2igOWnW8rWVNyb8E9VF6IYinAM+oCPT89L0:Ot0EpYinAMxCw9I
                                                                                                                                                                                                                                        MD5:8D15F422CD36CCB1704BDA9AFACCC1BD
                                                                                                                                                                                                                                        SHA1:A010CE97600F161D08B657CFCC6B37AF27EF8C46
                                                                                                                                                                                                                                        SHA-256:8A46D05D26754E87235479CFE67E6FF6A081EE2A9360A5D5B35090C239A08807
                                                                                                                                                                                                                                        SHA-512:2AC14951C52FEF5FC054EE2EC1CA26004E9EA301699AA1B33B0B1044FCA89C025982C81B85ECCFFAC52FBEFF2CBEAD8A3BAD28F0D5318FB28CB9D0982A1A45E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................`.....@.................................t)..O....@..D...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8984360991761084
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Nnapn1iwwPWcGWvTNyb8E9VF6IYinAM+oCagmKEFHN:0Du3PEpYinAMxC0jJN
                                                                                                                                                                                                                                        MD5:14ABCD3030A0F67F3FA7B9EB6E166662
                                                                                                                                                                                                                                        SHA1:37F5982EE6012B5163DFEC7AFEA62DB5C666E20A
                                                                                                                                                                                                                                        SHA-256:03D191772679BEA6056ED8A9C7BE7EDDE8AF33C29F9A8D03BC1C37241F8F4595
                                                                                                                                                                                                                                        SHA-512:E6612AEB5D962D22DDB5D05B36EBE174DF19D6253DFFD6384B070D3A311322278D44C0183F21FA0A1CA3F915E5EB9C0F2AF0C5C50903969B0B75433AF42B7254
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.905150922557699
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QHLaEav5aaUa6arWVLWwNyb8E9VF6IYinAM+oCg3r2:dPv5t/NOZEpYinAMxC8q
                                                                                                                                                                                                                                        MD5:884E63693AD540A386F2636ECD128D76
                                                                                                                                                                                                                                        SHA1:A47348563874E8EB75ECFC5B5714AE7456DBA375
                                                                                                                                                                                                                                        SHA-256:ADCB44EF78585B00305D2D723C08846348EF7A489A8253E643DDB0B6C0E0AD7D
                                                                                                                                                                                                                                        SHA-512:9ED61186EF3B425B57AE97718E79CA35355209C7663C0953C2C8D7FF621F998AAA6015CCDA4FEDEA723BBE43B8E5E97DE6119210EA478C5C5FC475BB5C3A2257
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................`....@..................................)..O....@..P...............0(...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.760657703388277
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:p6iIJq56dOuWSKeWRNyb8E9VF6IYinAM+oCHDRxQ2JFD:3iA1EpYinAMxC9mk
                                                                                                                                                                                                                                        MD5:5782A2F15E90B9BB65D5144F3EFCED5D
                                                                                                                                                                                                                                        SHA1:C395E336F2F3173D186405D94DEF958E57BD24B3
                                                                                                                                                                                                                                        SHA-256:E906F21CE2A0F67F538A3B0E24A06ADD5B62BF2FEE88051C61620DBD09B57187
                                                                                                                                                                                                                                        SHA-512:53CC8E5CA8E113F3D6C9B3BACE9C8DDFDA0D2C1705ACF4EEB7D02CF05C10DAD9495C27CB240FC803A932447E22E32D6C7CD102F2F230F64F1B445AE1AF852DF0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................n....@..................................*..O....@..................0(...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.811536083748834
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Fnzz+MpSaLWW0+W1Nyb8E9VF6IYinAM+oC1JaMjn:ZpuxEpYinAMxC7t
                                                                                                                                                                                                                                        MD5:0C81D0256EE127D45A0829E5E325F5F2
                                                                                                                                                                                                                                        SHA1:995FA37C7091F067F6CEC15A46BCB2E317DE4082
                                                                                                                                                                                                                                        SHA-256:ADC9788AF4BE7DE8D7C492D88230D471E430610E522B2BAFB7FF1D219B7A8FAC
                                                                                                                                                                                                                                        SHA-512:AC83D77B807AC4D3F9841418107BB8558B1011B0066607387A78C3AA3A3ADEC9BC77E91395CCB74D537E414685D6D8A2FF189E61465EA29A2FE2706012E66665
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ...............................r....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.8589137652058385
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:PGhr+YUfyHxsW/HWZNyb8E9VF6IYinAM+oCVUhv:ckmoEpYinAMxCc
                                                                                                                                                                                                                                        MD5:3DDE9C05C076FDF1429D9CD75173C6E2
                                                                                                                                                                                                                                        SHA1:578D028E3ED699A68111DEDFA37D095F2EC75A7B
                                                                                                                                                                                                                                        SHA-256:3139E4A728A1D2C82C476BBD54E3714F4FBC303FD3401D235B1338F13D1040CD
                                                                                                                                                                                                                                        SHA-512:5EC90F007C54633422852A0A7AE9BCEF8ECBDC70E63CF9751844E4BF287505DF4228FA20C709B5CF9785EB98951BA3EABD2E6ABF8090DDB4D34BA87C3D750B13
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ....................................@.................................<+..O....@..`...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16944
                                                                                                                                                                                                                                        Entropy (8bit):6.7876912072258415
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:XRE+ruiA5vzWeNWkNyb8E9VF6IYinAM+oC4XWKV:XS9bXEpYinAMxCYl
                                                                                                                                                                                                                                        MD5:FBE73E43216E07F425A24252C0C6F65C
                                                                                                                                                                                                                                        SHA1:0274AC0025B2B9BF44F5AFF28F674F2A3C77DDE4
                                                                                                                                                                                                                                        SHA-256:B89CA254B894484AFF1C72078D54EADB8FB4EA708D39483A25DCA94C162D3660
                                                                                                                                                                                                                                        SHA-512:5CD20028F6396785E4F0223BE92C059DE054D88252F4E8B9A578B935CB386B140199953A6ACC2BF8425B1C3B653A592AA80A5D7E148CCCAEC57FA6829457C8BE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ...............................\....@................................../..O....@..p...............0(...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.851358062531646
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GT+6ywnVvW0LWoNyb8E9VF6IYinAM+oCcBV/:G99tEpYinAMxCi
                                                                                                                                                                                                                                        MD5:AA591EFB8BF0E36BF1E6E6704216BBB4
                                                                                                                                                                                                                                        SHA1:DE1461DC47C9B5BDEA46C29934D914F71C753C8D
                                                                                                                                                                                                                                        SHA-256:89081E8641B2EF9035E5ACACDD330082AA652B78819295B65B2710A4DF2D0A7E
                                                                                                                                                                                                                                        SHA-512:C04A7AC7F64CBC1D3EBB2CBA24E7D07E1714E41B6F27B86E86808E8BAC5EC57FAA8AD5229882106604245794DEB236B95A37343C840DB1A80A5AF896F3C4B89A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................+....@..................................(..O....@..................0(...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.849139120493329
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:RRbzriaXT+WlEWENyb8E9VF6IYinAM+oCri+tBPWSe:r7icWEpYinAMxCu8pe
                                                                                                                                                                                                                                        MD5:D1310043B82B94AC1BC180B5BF617D76
                                                                                                                                                                                                                                        SHA1:A27CBA6E87B4DB7CCCAFF72A305C61943A6033B1
                                                                                                                                                                                                                                        SHA-256:CD652BADAC8C9CE2CE221BF466F4F9F843F2B125846CD5EF6929E1B77976A085
                                                                                                                                                                                                                                        SHA-512:61A34C547EEC04DBDD9B2226ADF40AA404086D2971EFE9A239EAB6CAEF7FCC2A1420AC9686C171D444818E7D5BEC2830093070E3EE77FA1781DACEFE36E2274A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...............................\....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):148528
                                                                                                                                                                                                                                        Entropy (8bit):5.418314255292507
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:IHOdYYWg+GImdMEGK61wb5nx03LBblQ6Ndk66byYSI4Zki+BReD4pK/uYxtl+97B:3dYO+3m9R6e1x03BZ6bDSzZ8B0uAP+9V
                                                                                                                                                                                                                                        MD5:8DBDE3A97C28D3344D4227AE15C708EE
                                                                                                                                                                                                                                        SHA1:6294D16DC998832F6FA5A1A1AA01B450CCB97826
                                                                                                                                                                                                                                        SHA-256:F3140CC951BF272C5E38D769A7D351EF986A1BF33EF43B6BA694CE4397BCECFE
                                                                                                                                                                                                                                        SHA-512:ECC338746D72C298A364F4480C2F40003010D72D668C29109CFA41C3F350E5DB4A6EF8A6514724006AF57F9C6E87ABE5B933B63985086F57B1CEB72C8E6B316E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ....................................@..................................,..O....@..................0(...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.812636234707437
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:qzNnzx7FWjYW5sHNyby2sE9jBF6IYiYF8pA5K+oCGUHF8oymiaZJx56co:4RtRWjYW2Nyb8E9VF6IYinAM+oCIAW
                                                                                                                                                                                                                                        MD5:16D2FD3D290EDA13521A860F295C9732
                                                                                                                                                                                                                                        SHA1:7F5EDA28E9D8057AD3683C3E9F96AD193314544D
                                                                                                                                                                                                                                        SHA-256:3A114F13C848ECA1AF9965CC8B93412AD84080C5C3E0217681C724F5F1EF080E
                                                                                                                                                                                                                                        SHA-512:CB9AF21F595B193D8F62003AE69C3E21227E8BE3B1ADB8C5C5DB9F390CA98CA1171CF23C3296C739B5C61CC98F2DF586A816281338C28CC72F5FA9571A5A3AC3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................9.....@.................................x*..O....@..@...............0(...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.894254159830432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:MFxrIFWnoW5HBNyby2sE9jBF6IYiYF8pA5K+oCGUHFK1+JmWKY+L:0eWnoWXNyb8E9VF6IYinAM+oCG1+MjV
                                                                                                                                                                                                                                        MD5:90B4E125C75BB201049286B5582EAA11
                                                                                                                                                                                                                                        SHA1:D8E91F8C9E637C1E3D7E339465E64AC3B9AFA212
                                                                                                                                                                                                                                        SHA-256:8ECE3185D90574516782D28998A856E32245745CD17C45169CE40184013F14E3
                                                                                                                                                                                                                                        SHA-512:24EFE1E0ECF759B7555D30514BB8623E9A3321BF2FAB229CF02CAB3C0017A795140EDF043754BC9E61D5E32D180C0E24C8DE5007F5E000B55C46E45001245955
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ............................../.....@.................................X)..O....@..$...............0(...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52784
                                                                                                                                                                                                                                        Entropy (8bit):6.248230070449665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:HC5mb2//6hDjsgXj55UJ6DwrKts7EK5m2yFVBg6WZZjbUpUhDIEpYinAMxC0a:HCYb2/CRv5M6jtUZjQUh17Hx7a
                                                                                                                                                                                                                                        MD5:CFEC3FAAB34990ACFC54C64C3B6808E7
                                                                                                                                                                                                                                        SHA1:C76ED41A92F77D9BE3AB1D0964008DDFA0108653
                                                                                                                                                                                                                                        SHA-256:9DE9A605D6A8C89CBE50D657E5B8F5A8988BA265473EE1660BD0B2551AF5AABE
                                                                                                                                                                                                                                        SHA-512:1525636EE2AEAA4F1D4BFBC5E10D70F833C15C692DB142A6FA0E78B8DB38BF81C0896ADBC8386472694BA76B1C6A2398694CC850E1246A1853C63573EC859080
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................u.....@.................................h...O.......................0(..........0................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........I...l..............0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.855374776694347
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:O6oWJjWZNyb8E9VF6IYinAM+oCukx5v+6H:O6voEpYinAMxC5v+G
                                                                                                                                                                                                                                        MD5:6F9AC8B2DA7E25105F12AF1D94872131
                                                                                                                                                                                                                                        SHA1:26FB9F7C732B68A17E5A2129B8DD7A5CF9614C2C
                                                                                                                                                                                                                                        SHA-256:AF3526726E297BF978A24A6D5863B1326C8DFC96B4FA999334D0DBFA74646FEF
                                                                                                                                                                                                                                        SHA-512:EAC213A1D4DB6D759F46D71B1BA8B7C92FE018C9E6F13B6D29D874610CD067AAB75047B42859DD8FADFA0B01AF7B538632B74C28D3F0D914B688F1F4A667FC71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................=....@.................................H(..O....@..p...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.7752522324333615
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:oqk53/hW3fZ+zW3Nyb8E9VF6IYinAM+oCjwwO:oqk53MXEpYinAMxCFO
                                                                                                                                                                                                                                        MD5:158ED045138EEF3C7DDE9D6EF5B652C1
                                                                                                                                                                                                                                        SHA1:5622AAF5497F0D76683B040C64AD2314E17BB6BE
                                                                                                                                                                                                                                        SHA-256:7B2579B6B298E92556B48D669297E52790C153ED82712D1BC8ECEB596FE7E030
                                                                                                                                                                                                                                        SHA-512:1099BEE8D6CBF2A15078D0BB336D0F1DA9A00CEA294A7EB059AAE5304E67303AA89024BB75622729712D68A27D9729C124E36BE3203CE33107719CB84653B92D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ....................................@..................................)..O....@..0...............0(...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.660800364274412
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:EFCc4Y4OJWfOWqWWOWyNyb8E9VF6IYinAM+oCwOrX:QCcyCCEpYinAMxC3
                                                                                                                                                                                                                                        MD5:26A80145D8030211EE771840F8DD8A16
                                                                                                                                                                                                                                        SHA1:1CD26177951171212AA264C49ED54C4A180BBF34
                                                                                                                                                                                                                                        SHA-256:062DD43DA07B618A3757F26110DD637ECF88939412722740A11E059DC613D154
                                                                                                                                                                                                                                        SHA-512:4C7254ED979CE6FE0D9686E6C8E8AA64534C5592933203879220FC5CA74941283A251018C65D6E09219DD3ABDB49CA55A5E319B1D3E9A6EA93264B21A96686D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ..............................l.....@..................................-..O....@..................0(...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8745478333746295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:jlTx93aWxMW5VwNyby2sE9jBF6IYiYF8pA5K+oCGUHFwPtrnGL:HAWxMWANyb8E9VF6IYinAM+oCMPtrGL
                                                                                                                                                                                                                                        MD5:2B57E23D0F48CE1EF0569063B5F1C9EB
                                                                                                                                                                                                                                        SHA1:8A875754C087A9E914B75381B98E09895E22CD45
                                                                                                                                                                                                                                        SHA-256:0153C25DDA929F74A08D404DB3135A200FEB9E78D1AF4097437B39A1B7AC772D
                                                                                                                                                                                                                                        SHA-512:C8253989642A05B27FEEF4A7AF6BDF614E3CD362F4A21E31455BD58858AD30849E35F04F5F07BE169A28B7D87BC11E1391B190E40B98A7D271A48CF0FF68158D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................: ....@..................................(..O....@..................0(...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.857361004400195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:vYqArxbYWHaW5uiNyby2sE9jBF6IYiYF8pA5K+oCGUHF2zfxGLuDP4A13:3AlcWHaWBNyb8E9VF6IYinAM+oCyo8D9
                                                                                                                                                                                                                                        MD5:343FB82DF6CFC390EE8375B8202D6178
                                                                                                                                                                                                                                        SHA1:3E46C69112CDC189AF64A8E19C9D0396521C94D9
                                                                                                                                                                                                                                        SHA-256:0BA15E45585ED38FE6BFA49FC9393FD8DBE249C7A3745D9419CCCB3CAF785E6C
                                                                                                                                                                                                                                        SHA-512:B8E95D9416BA51B21067B8069126922DF2E1BADADE629380A79D73113E180149187EB5307559553FF6236432A4705C32EC8374AF54B17639B11BC2B56100EDE5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.778572218931067
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GGIZnWlNWmNyb8E9VF6IYinAM+oCpcsttGp:TUyxEpYinAMxCPUp
                                                                                                                                                                                                                                        MD5:8BE0161D2171A05F186C14746B17BEDB
                                                                                                                                                                                                                                        SHA1:00697942D486087143ECF3FF76DF82C0032BE484
                                                                                                                                                                                                                                        SHA-256:31624B29570C67C2B07DBC427543B161FA14357B5CEF563289AAFDD940AEFB01
                                                                                                                                                                                                                                        SHA-512:D257CADD5B2BEDA1EDE29DF27319F5AB981D5701879D53454C6D5F95068DF47CDDD562F5A39E4F96AB8B4DCF5E3F468C1FBF99B3B5CCD7270A2A0D93DE4A90F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ...................................@..................................)..O....@..P...............0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25648
                                                                                                                                                                                                                                        Entropy (8bit):6.497756720695681
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:vlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdW8Nyb8E9VF6I8:9Qq33333333kX+TBi8rEpYinAMxC/x
                                                                                                                                                                                                                                        MD5:DE5C0ED2F925B497B7B7757ED8F91409
                                                                                                                                                                                                                                        SHA1:CA37D6E91C6453FC7829E539D61F06F5B00B6240
                                                                                                                                                                                                                                        SHA-256:3B9AA9BA30DB7890238C498AB453A84E12AFB6CD06E73B8B08A8C350FC36668E
                                                                                                                                                                                                                                        SHA-512:6D7478CC97704587755CC267FC5101B8E2CFF9DD2F5DF1EE452A967C1A57B1542F97878F4376E750C5D05631246B1C723D410E2EDBF5D7F1FE3C5688214F831E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ..............................?3....@..................................L..O....`..x............<..0(..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.852137502873179
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:M28YFlXulWY/WnNyb8E9VF6IYinAM+oCKD95M:M0q6EpYinAMxCr
                                                                                                                                                                                                                                        MD5:74CCEFACED2DFCB8EAF7ED590225C293
                                                                                                                                                                                                                                        SHA1:DB828B60B5AA764DA4DE0B2AA17A2E7256879399
                                                                                                                                                                                                                                        SHA-256:D5BFFC15212B4FB4389CC4C95D951312CD776A16F7EEC1201BE97A236D53C749
                                                                                                                                                                                                                                        SHA-512:93CF84C3D13640876B8707F04BA27C3CEDB04078EE8A3CD89442ACD9D47C2FB836EB16E4CB4AA46EC0C1CECA282F992156B76B41F4311DE7DE8DE60368CFBF6E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............0(...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.729399300179517
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ruMLcdQ5MW9MWBNyb8E9VF6IYinAM+oC3SX3q:6OcSpLEpYinAMxCJ
                                                                                                                                                                                                                                        MD5:22109D5725BF49BE5ADAC18EF3A50A6D
                                                                                                                                                                                                                                        SHA1:92A3C52DB9A025ECA3ED3A5CAFFFFF601A9064E9
                                                                                                                                                                                                                                        SHA-256:AEA1F02B322A547346C9763FBDB791D04A7B431E73AADB5FB3284C49B894417B
                                                                                                                                                                                                                                        SHA-512:0A0282006D0ADBE4B53ADBC8840E0C72E087B991691C702AAD17409139E9DF265D1EB2684A83E89ECB8B624713662C3C1289A615675CAD9DBF1E55FDD3AC1844
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ..............................4N....@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.817774131536846
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DZ7RqXWDRqlRqj0RqFWVNyb8E9VF6IYinAM+oCVauO:F9qKqjqjuqOEpYinAMxCe
                                                                                                                                                                                                                                        MD5:D6EEAF33753199829D5B52F3883200E4
                                                                                                                                                                                                                                        SHA1:1C26480373B43132E4E048C53E4B92B1658DA3B2
                                                                                                                                                                                                                                        SHA-256:E011C1A5F690BA6FB9817ED9E082853264EF95FC172E2E392D8253C72C76528C
                                                                                                                                                                                                                                        SHA-512:3338703701A77500C3B4BDAD3E409CD6F9C59AEDF3424602A8644CC55903A16EEA993C7F83B45600857C0760C40BA3AA1AABC32A58D8DA21A7BE417C92CCE610
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................V....@.................................X*..O....@..P...............0(...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20016
                                                                                                                                                                                                                                        Entropy (8bit):6.629984909380605
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:SNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9WSNyb8E9VF6IYinAM+oC3r3Mf:SvMhF2SzNzwu/NljuREpYinAMxCm7
                                                                                                                                                                                                                                        MD5:F1E0C61D29D9AD41465EE509300A3CF6
                                                                                                                                                                                                                                        SHA1:4BD633384150D5C762419185DF0C7B546B2530A9
                                                                                                                                                                                                                                        SHA-256:6D063F8112D7C3D72AB7554FA5284CCEB8548446B84B644DD2B43FAE088468D2
                                                                                                                                                                                                                                        SHA-512:71F39E6B7318F80CB9B04CCB5EA3A5F0D7ACC9A0DF7F515F7F812AE8E5DF9FEFB8FFA8E4BA489665845ED60B4D360C29A7D7E42976266FE88641EE5023BE2423
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ..............................M.....@.................................a6..O....@...............&..0(...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.902202422569465
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gZ4RLWdRfRJ0RZWuNyb8E9VF6IYinAM+oCly3R:gZK0pJu5EpYinAMxCoh
                                                                                                                                                                                                                                        MD5:AF0541474D5101B83A9F9BCA4CCAE18D
                                                                                                                                                                                                                                        SHA1:C4531C3A35C23BD0A8DB7C478E449F1096EEFBD0
                                                                                                                                                                                                                                        SHA-256:BF0E37B6DFC48AEB4584D8CFC11E4220DD2461B4B0958E7ADBDEB4F885F69E01
                                                                                                                                                                                                                                        SHA-512:30CAE5D0A7E67533F25ED2A416B9C028F636FF7252B4F36B67A3E8BA3B867B1F54EADF4D5B8845A090D170CE717315B9CC48B478F0439D17B8F6DEDF1FDB7897
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...................................@..................................)..O....@..................0(...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.79684773831365
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6YWsmW5Nyb8E9VF6IYinAM+oC39mzk3UDguY1:62VEpYinAMxCQ43Igj1
                                                                                                                                                                                                                                        MD5:0285B025E379D72CEC77E76E6C3C9199
                                                                                                                                                                                                                                        SHA1:D917A4FB16C519390EA44D85212336961135323D
                                                                                                                                                                                                                                        SHA-256:1AB9B6D48D9439DFA26567E091790BB6C4B72B683666362ED2BF82953D610F63
                                                                                                                                                                                                                                        SHA-512:8A4C66125E46F6A0267957F7831744904CCE776ED626C94B782DE4739158C4F07F6FC96EC248A79A8DFDF2899FB13A6EF1650C7B5C710224F509A25A4A1395B9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................~....@..................................'..O....@..@...............0(...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):105008
                                                                                                                                                                                                                                        Entropy (8bit):6.382793274888649
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Gvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXW7HxSs:6gk1tiLMYiDFvxqrWDWNoJXWr
                                                                                                                                                                                                                                        MD5:5BEF80B4461EA7FC40F7AEB314517182
                                                                                                                                                                                                                                        SHA1:2368C820139FF5F59819CF4332BE2F5C36074B98
                                                                                                                                                                                                                                        SHA-256:BD5AB932E8DFAE0F86CC92AEEE2EA42FDCEB1BE46E040FD691117B2455809DC0
                                                                                                                                                                                                                                        SHA-512:8479ECE93EDBEEB7AE11C7151A65AFBE26B989C644F5D388981F96652E773BB606F8B7FCD318E1880CF53EE1CFE26AEFD416EED6C22282C8CB6874CF56A400E3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................a.....@.................................5W..O....................r..0(...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.85654417947107
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gKcuz1W1cWMNyb8E9VF6IYinAM+oCLnEi2:wu86EpYinAMxCbt2
                                                                                                                                                                                                                                        MD5:46F337980AD8DF3B32AB242BF1B9A464
                                                                                                                                                                                                                                        SHA1:4B385DA3DABA54274FC4B677FBA52F07947C6D08
                                                                                                                                                                                                                                        SHA-256:18D88E8C000BBF063C19B6465FE39C133062D5404B30231A9B1BD61990D3D4F4
                                                                                                                                                                                                                                        SHA-512:90E102A13D56C96DEECF4FD08486100E61E410FACA1E83EFF2B1C9AFBA9F1149A9D002551F980E8214C77B89D749164ED935B541CFA20102F5952DA2A02B243A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................,....@..................................(..O....@..P...............0(...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8625580935847115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:XpXYpxjSSWikW5I0Nyby2sE9jBF6IYiYF8pA5K+oCGUHFUd79eOJZY:8+SWikWBNyb8E9VF6IYinAM+oCAd5DY
                                                                                                                                                                                                                                        MD5:AAD632FB4B9825F4CFD41EF51D22B0C5
                                                                                                                                                                                                                                        SHA1:FF28D7F1D15C144D82B3FDA1FD0F3DA64DC1A14A
                                                                                                                                                                                                                                        SHA-256:73D2A7858834E875F1802312D04FDA41B757FD38092639CE8F7423F7F69DE918
                                                                                                                                                                                                                                        SHA-512:70476DB9ECF8E2A421EFA525FF91185C861670AF6CC2B2121DBBF145E4071940E85D41F398DD9EC1F57D457538189AAF8071A92B1012802E376F37FA74FC6AA7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@..P...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.9090505900126455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8DxxhREWzgW5mGNyby2sE9jBF6IYiYF8pA5K+oCGUHF76amaGRcSg:gAWzgWlNyb8E9VF6IYinAM+oCXAS1
                                                                                                                                                                                                                                        MD5:C3A28534C6151BBB807A8CB4DF0C56FD
                                                                                                                                                                                                                                        SHA1:C51FCD2C452ABF79D2ECCC9E571B9AABD296E745
                                                                                                                                                                                                                                        SHA-256:8B9C14A2ABB45BBB1D94D8931129F657BEFE3CC87139B3CE9CD68EC4ECCAF617
                                                                                                                                                                                                                                        SHA-512:EED8722C22EFD790A40595772C762303C61D9F89BDB37045DA63395A6024FB99751C86CF249426F5DB9EFEE8A64F0FC5845BC815401F42B425E508F0DEC0A542
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.86573166821119
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:eJWx7VLRWbYW5PqjNyby2sE9jBF6IYiYF8pA5K+oCGUHFncaEL7:bBLRWbYWAjNyb8E9VF6IYinAM+oC7cB7
                                                                                                                                                                                                                                        MD5:5D12D2003B9C1715907B57E2E2336E75
                                                                                                                                                                                                                                        SHA1:FD02CDE45718FDC5394482978DD2F261D8D83688
                                                                                                                                                                                                                                        SHA-256:08890E81C4676A30DAF7DB69980A595C4BBED23BADB0C6FFA49E27F92B495DC3
                                                                                                                                                                                                                                        SHA-512:4F2FA8128AB45A8FF922C19B52FB4D6CBFBE1C35302A0E23FFAC1C90642530B161FF4EA85E4FEE6B7A4847415D01D0F7C7A1BC9F4FBF5D90710E143B1D8FC10F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ...............................)....@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.853003578203525
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:fZxcMRW4/W5x9Nyby2sE9jBF6IYiYF8pA5K+oCGUHFyF5Fzd:LHW4/WRNyb8E9VF6IYinAM+oC+dd
                                                                                                                                                                                                                                        MD5:25964F198C9E4088D7FC2BC96350D82C
                                                                                                                                                                                                                                        SHA1:57C08B7BD2653A75971F8B09BC2D5DE035433DCA
                                                                                                                                                                                                                                        SHA-256:12C7CF810B0E5962BF5289224973D84A9559F16BB35F48FD84156586E4417C0E
                                                                                                                                                                                                                                        SHA-512:2855FE5B02B5458367B81E2AFB81E1F2C2310E8A3C1CDB4603FE8DDB451A8CB52A55034FA9CA8764447A96F2ED4D0F64BF80504DB20D5418481D4A965FDC33E1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................3.....@..................................(..O....@.. ...............0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.91349914772287
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1YvkRxpHWmCW5O7Nyby2sE9jBF6IYiYF8pA5K+oCGUHF69d1:yvk7hWmCW0Nyb8E9VF6IYinAM+oCuT1
                                                                                                                                                                                                                                        MD5:5EBF26CC80D7D2367B2ED14DBD480DE9
                                                                                                                                                                                                                                        SHA1:44E840B549ABA4201350C169508042C5E8C64D81
                                                                                                                                                                                                                                        SHA-256:83D1043095E5D0AC4B89E11D27E6BCAB0B8AB3C9A76033B12C389C7F9E7EB6F4
                                                                                                                                                                                                                                        SHA-512:9DBD3438D67D68ACB9502F07F8F12563EC132DCB91781BABCA8AC2A183F3FB23C68B6459024061E9C91D5B507C61EA9FF0579CADCD8FE68CB7681F5C770FB286
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................h)..O....@..0...............0(...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.875910359378026
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:MUiW2xf+C/WCUW52DNyby2sE9jBF6IYiYF8pA5K+oCGUHFLZiopWWHq:aGMWCUW4Nyb8E9VF6IYinAM+oCRlO
                                                                                                                                                                                                                                        MD5:1995E29BAADA29FB8819820770F26C62
                                                                                                                                                                                                                                        SHA1:4B34D3A8718AFB2D17D0CA4F4431A781C65FAE11
                                                                                                                                                                                                                                        SHA-256:69851804FFD0DCB7DF37C3D6F1F06D0A1A441E9AE5951F34ABC36F1A2CFCA4BA
                                                                                                                                                                                                                                        SHA-512:BC80F721D85909AA431788033952522774A33F72E8F9BED6B149DB6C01D22F5DADBB9F35181BE6C1FB5E3A29915CDE693ADA989C77C274FE97ED7A81DB9FE69E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................U.....@.................................@)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.853688680069455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:SBhwI7WSQWLNyb8E9VF6IYinAM+oCCtg1u:SDwIBlEpYinAMxCG
                                                                                                                                                                                                                                        MD5:862ACBAA8DE2117C4DE7476774D516F2
                                                                                                                                                                                                                                        SHA1:BADDFC33B47A09EBEC90C0B05A56482F89D89C8D
                                                                                                                                                                                                                                        SHA-256:649ECB9376DF48E12DED6D6A95ADBEEA6A36EBB8C011C9802FF8119AB40B436E
                                                                                                                                                                                                                                        SHA-512:0FE11B0424EA4816B2EA0A162F588EAD2B3EAD5EAE2973323CE1386F4CC753B0793BCBEE038656542647DBC445C831936B6D7594049FB3B20DEE63EBF28AEF8A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................b....@.................................l(..O....@..P...............0(...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8712991278808655
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hyvPRW4lWaNyb8E9VF6IYinAM+oCnK5GIM:o39ZEpYinAMxCXIM
                                                                                                                                                                                                                                        MD5:CD6F5C599E5DF13BF3E67D105BBD6E4E
                                                                                                                                                                                                                                        SHA1:4441108F1108D9A3A04F5F2B205FA520B8B7E61C
                                                                                                                                                                                                                                        SHA-256:5724B02518B16C2C501EE080B2990DDCDE55AD0C91AA0699E69B3F4A405E7615
                                                                                                                                                                                                                                        SHA-512:492A3226F3DC51F27091414F5FD59F2415A9ADEBC4995EEBDC9C52B5089CC818C73535AE3278C8ACC7666B9DB192ADC8801B9763D15CDA4EA3CA62D064847BFB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................^m....@..................................)..O....@..................0(...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.822162805236912
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:unhp+J2sx/5W6eW5L2Nyby2sE9jBF6IYiYF8pA5K+oCGUHF9IAvOn8Q:I6RW6eWoNyb8E9VF6IYinAM+oCiAGnD
                                                                                                                                                                                                                                        MD5:3437F5869D0C914914F2370397AFB8BD
                                                                                                                                                                                                                                        SHA1:9CBBBFDD16C567760965A264644131C7270AFE01
                                                                                                                                                                                                                                        SHA-256:7610364F5FAB3269A4AE5D4AFC6D4939B3625B44C5128A7982FBF96665FD38BA
                                                                                                                                                                                                                                        SHA-512:55BA204BF4C2C04A48C2A61400A1A6F8EB52AB56EF2C0E6962861FB8D781DCBBEC9A4BBF7F3E1F949E882E47E1E02B378189B5BB4CC0098633F51A931EE42591
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@..................0(...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.856876886578975
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:USUP9W70WTNyb8E9VF6IYinAM+oCu1J518Q:xUe5EpYinAMxC0p8Q
                                                                                                                                                                                                                                        MD5:FAB955A3E4EEEE01097ABB43A3607C86
                                                                                                                                                                                                                                        SHA1:8766ABB10D70E64F2DBC7B6CDBECCEE31182665A
                                                                                                                                                                                                                                        SHA-256:18BC3E5B242C7481112A78BECAB84A62F99A1496E3A08F8B5AAB0A73CE6FD51F
                                                                                                                                                                                                                                        SHA-512:E27CF08356365768C3C9D73FC3FF6EF71FBDDB2EC4890932F68A2CFCAEFA6BB75DC40C7C2C8B7F02C72A912F8FCD18BCA1F6186AA1DAF62D842D9F77788F17B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................f.....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.8529608893292115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:08yg07W0/WFNyb8E9VF6IYinAM+oC/ojZ:0BH0EpYinAMxCAF
                                                                                                                                                                                                                                        MD5:C9638F49F3429205B5288AFC2894F505
                                                                                                                                                                                                                                        SHA1:29356F053603A24AE8EDDDF6A0E6F99DB739A3F8
                                                                                                                                                                                                                                        SHA-256:0CEED106BEB406C2051AD24CF4C3B01C872EFC44418F6407860453826AAAABB3
                                                                                                                                                                                                                                        SHA-512:78E1996CB1315775F84756179A8123BFA8DF4F5E5669FE247BEB529B87F6EB6DBEC58D312843BEBEE163F79987156ECD9530F648E106484861D4F95EC7036A2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................(....@..................................(..O....@..................0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.815737222976089
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8ueAxQJ4WmRW58/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFOq/gkY:ye1WmRWaNyb8E9VF6IYinAM+oCasgkY
                                                                                                                                                                                                                                        MD5:0EBF8BA019503FFF6CE8C96B8451916A
                                                                                                                                                                                                                                        SHA1:4057552663294F1652E7BD277FAAB97F3FC99E44
                                                                                                                                                                                                                                        SHA-256:3D1D440E865A8FB047483F7211E6DECBB3AEF9B1062D3D30164EC447BE95CD26
                                                                                                                                                                                                                                        SHA-512:F7F9E374CA3BF171B98D63E2D93E61748E465ABEB9183281A6AB10FB5AA0DE25E5EB5C12BEA2461A2982449F459CECFDC8DF44754FBC28C0552FF559695C416E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................l....@.................................p(..O....@..................0(...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142384
                                                                                                                                                                                                                                        Entropy (8bit):6.161184989113367
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mUGrszKKLBFa9DvrJGeesIf3afNs2AldfIQ6D:RBFd3/aFs21
                                                                                                                                                                                                                                        MD5:54D029A43A6C0F42ED4A23FDFA2D5C73
                                                                                                                                                                                                                                        SHA1:C4FF7EAE7E07A523E9307EF2C2D56480BE2B79FA
                                                                                                                                                                                                                                        SHA-256:DDFDA1DB70F43D20679590F1075F7DCD8604A67AF927CFBBA607B497C3A1DC37
                                                                                                                                                                                                                                        SHA-512:A36DBFDBF74D949EB0BDBC1EA36C7CD0200CE6A74507A538D1BFDDCD8EBCE59D635B761E9727F336FAFA2508B6A086BC9FF984EF3A50573C017B259077AE39D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......w....@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):192560
                                                                                                                                                                                                                                        Entropy (8bit):6.115283764355454
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ceruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgUX4:VW60VcTvakcXcApOD4
                                                                                                                                                                                                                                        MD5:2DE6CACC7CAAE8EC32A4ACCA2372217B
                                                                                                                                                                                                                                        SHA1:AEC33C954F09DE00D3DD0106CA18CC34D3D269E5
                                                                                                                                                                                                                                        SHA-256:32AD73E09CF913CDD10B802FDE60CAA3009C642672C811AC293BBF96BC9C8C78
                                                                                                                                                                                                                                        SHA-512:444FAA8453BCB54ECBE8256F60435E4EF1831EAAEB663B8AB2B56A14683FFE8B6607D119AB4A8D0F4E55947D03AA8F16839DF5A1BBD3E4B7A29CF475B3FD196F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... .......,....@.....................................O.......h...............0(........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.838008946902689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cZsxgyrWYLW5lSNyby2sE9jBF6IYiYF8pA5K+oCGUHF5LxLCMIuPkr8:y6ZWYLWyNyb8E9VF6IYinAM+oCNNLpF
                                                                                                                                                                                                                                        MD5:90409A11B947C7B7851C1C3F3BA682BF
                                                                                                                                                                                                                                        SHA1:D0F4051772DAC6D8BEE286E3D2F3EEB66B93C76F
                                                                                                                                                                                                                                        SHA-256:A36DC3D7D40EA97A84093EF4B46CCD55B6B7B306305DCF1A66F58AD77BF703DD
                                                                                                                                                                                                                                        SHA-512:972E0F5B4C25BA1AF38420D5D2FCF93B3B5BE4AC3A95ADE19CB7DE567F2472B0074825CE1253E918D1DED321355A42D572659652B33AA34339AD20792DAC2A55
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.790255214658902
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:A1W1WMQWrNyb8E9VF6IYinAM+oCuH2kRwO:b15EpYinAMxCunwO
                                                                                                                                                                                                                                        MD5:3F00A1C64D87CBFE42BDA418FEA21722
                                                                                                                                                                                                                                        SHA1:BE09231122402528197546510483B2991994DCFC
                                                                                                                                                                                                                                        SHA-256:521A6998CD06C2779435F481BD55A05ED2F1A56879C2D45F641446C31AF3657A
                                                                                                                                                                                                                                        SHA-512:E8F3C9170766999A856D263801F5A3AAD2C86EC2927777D2F907AEAE6644D8638339EA603308A9F9928144F12663A8878F7552AB7EE242145388EBBDE371926C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................X.....@..................................,..O....@..@...............0(...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.831937561896812
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:PdSWSKWvNyb8E9VF6IYinAM+oCsVaSL3l:VOHEpYinAMxC03l
                                                                                                                                                                                                                                        MD5:998563BC54AD72451D67ABB161021DD1
                                                                                                                                                                                                                                        SHA1:28157C4B0416DA275B402DE200C9ADE54AB661F7
                                                                                                                                                                                                                                        SHA-256:45E5B90735B46F184AF6C8ED8B7A7E6E421B0693769B0246200B3275CAFA3CFE
                                                                                                                                                                                                                                        SHA-512:198A1A66549BE21BD72E664D8D7420D316A9CDF223A40F31CAF082807987AA2BE7501FD0AE527117B4BC7B7120F621E02CB2B146894AA9B91467C99D21E5E572
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................~>....@..................................(..O....@..................0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.751094184544074
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:vJEYA2WkIWhNyb8E9VF6IYinAM+oC1IZM2RO:vyYA8vEpYinAMxC+ZS
                                                                                                                                                                                                                                        MD5:B90388FE21BCE3614272D5D811CFA0F4
                                                                                                                                                                                                                                        SHA1:2A6CD094FD5F379010886274EBDAA726E215109A
                                                                                                                                                                                                                                        SHA-256:184B301478FCA800DD5ACAB7E9C93C577917AAD9410B7B0AFF59A8584C86C38A
                                                                                                                                                                                                                                        SHA-512:27F8FCF3021CB76BBBA526E793CE5BBA473B65B949A21273C9EB6EE30E9ECB4EBE41B64265F106948111C5BF82E6F89E33C90B71674BE5163D9B71BBE66E20D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................d....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.873207581433883
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:jl0qgopJ5xBcWe4W5PqNyby2sE9jBF6IYiYF8pA5K+oCGUHFVO3BuOu:BJGWe4WENyb8E9VF6IYinAM+oC5Oxs
                                                                                                                                                                                                                                        MD5:B054E10ADC5FA8E493876287A6458E5B
                                                                                                                                                                                                                                        SHA1:570E449F809521B0B7EB13C50C85411233210932
                                                                                                                                                                                                                                        SHA-256:4E2FFE1EA36813D662BEDC8C0F10F0B8117DDCD7B2D05C12DC821FF0CD35C14F
                                                                                                                                                                                                                                        SHA-512:97761E42CE08B770FE02AD22C237E5384820F516A5D8E2EE2AAAF7109C3A3347D98855FD33C537E03FDA8952186529D979CC8D70D21177C315B0A0ACB0D9DB9A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.7845057032264044
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4dW1w3WesWvNyb8E9VF6IYinAM+oCV47eL:h1wx1EpYinAMxC+g
                                                                                                                                                                                                                                        MD5:B2C53320FDF5CA8A04DB60B170BF7141
                                                                                                                                                                                                                                        SHA1:F6B6E809514EFB12460A23C04CBBDEA9BA48F464
                                                                                                                                                                                                                                        SHA-256:3A21E7A51031A173F7A4B3A749DA253D741E6FDA19515C5E00CBE0FA99F5571F
                                                                                                                                                                                                                                        SHA-512:D87E00F90633A3FBB61D4BB347511593B33B6AC17FEF57E8785087BC6F57069B01DFC481BF4834DC9EFBB19323CE88D4E0E2653BEB32F0A788106D466EEF3834
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24624
                                                                                                                                                                                                                                        Entropy (8bit):6.5950895512475265
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6ylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsWmNyb8E9VF6R:6yp12Bhkg3qnV/sEEpYinAMxCRN
                                                                                                                                                                                                                                        MD5:C3389FF2057FE22EB3F83AA8AD988B61
                                                                                                                                                                                                                                        SHA1:937E0F25E0C6E5870F73724F2276530DF2DA3357
                                                                                                                                                                                                                                        SHA-256:A2BDF759ED39D7189DAEAAAC69B8C0AA561D084C68B3865E7A814F40CF253F0C
                                                                                                                                                                                                                                        SHA-512:A7ECE9C58E1830478D2C28CA3AD7FA7270F4D91CB66C0CB1FA6C8B60DF9EB5C526200EE13161C4F9186F8AE8A4C49900AEAE3EBE762FCC9FFCBA25ACC930CFEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ....................................@.................................gI..O....`...............8..0(...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.854004665858865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hSHlx2PW1bW5akNyby2sE9jBF6IYiYF8pA5K+oCGUHFl5tvx9niT:kHPAW1bWPNyb8E9VF6IYinAM+oCJ5ry
                                                                                                                                                                                                                                        MD5:80A31AF6647EE20B2BF11C959CF2B6F2
                                                                                                                                                                                                                                        SHA1:699B1AC5E0AA58077F85662824DB7613EEE2F629
                                                                                                                                                                                                                                        SHA-256:FF7B2BB2119A21DCB6BC5637967168675AD845ECC98B9CA03CDA0B33E6AC5C56
                                                                                                                                                                                                                                        SHA-512:5837112C325AF3BA01767270C65A242E21DB07D9F93A0582D63662B2993ECC84EE0533D21468B780D2F6067C9AB1AA9815E2E87E314C7058D14C4B3FD6B0F23C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................D,....@..................................(..O....@..P...............0(...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.855645358104699
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:E+TxwFqWD7W5d/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFCet6ZFUZBW:nNoqWD7WXNyb8E9VF6IYinAM+oCeb6M
                                                                                                                                                                                                                                        MD5:DD7E87359C9DB7FD20E598618AE2922F
                                                                                                                                                                                                                                        SHA1:FC88EAAAE9FBD0A2BBFCD50D596C6E4B92415F6F
                                                                                                                                                                                                                                        SHA-256:C2F129AB3052CC82762C716FA8340E3C9E27DCF90C1ACC7D7CD8BDE19218863F
                                                                                                                                                                                                                                        SHA-512:CBD18E95DC34ECD7199FD0930F6C31C373F536732C5518A1A75D6400108D94871CCCCFF006382CDCF77206D0DCB2FC0E9E68CBD2B41562A47A88D79FE1439DE2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................|(..O....@..@...............0(...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.865214773597899
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CGETSAWUEWvNyb8E9VF6IYinAM+oC6t/Z:YT1tEpYinAMxCA
                                                                                                                                                                                                                                        MD5:6E279028DB84C8CCEA36A4DFB8FD8B2E
                                                                                                                                                                                                                                        SHA1:7E93D1B484CE601657096C490A35E9B20521F326
                                                                                                                                                                                                                                        SHA-256:7FEB317E233C08040ECDF429124D63007C6B6BCF8E17BAD422C98A15462E23CA
                                                                                                                                                                                                                                        SHA-512:1D7211AB09E0076499F5A2CA2C4DB4B2F856CA62CC2AC68D068568291ADDF0AA5CFE6BA5AAE0CE4146A72CE2607CD2DBE419179DDED8567E56F26892A8C2AFE6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ...................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110128
                                                                                                                                                                                                                                        Entropy (8bit):5.512625823117999
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:KPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7Hxi7:KWw0SUUKBM8aOUiiGw7qa9tK/iE7
                                                                                                                                                                                                                                        MD5:931C73931BC6E2DBCB34683C2AE71923
                                                                                                                                                                                                                                        SHA1:BB5C166A81B45AF1B74FED5C6AD36813358BA3F9
                                                                                                                                                                                                                                        SHA-256:D9FCD3BD5EA8DC4E388E45BB835ACB8DEA101C272F65947366D8FE76927E4C6B
                                                                                                                                                                                                                                        SHA-512:8771A47AB96999AA2E9E6AA4974304A54AA9F67298F43B201F22184D89508C34D04E302B4659AACDE2BCAE5944779E3E788A69A2C16AC42BCF291DB25639098E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ....................................@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.846809432296737
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:icDagtDApWSKJWVNyb8E9VF6IYinAM+oC4LsCdT:iPKBCEpYinAMxCN8T
                                                                                                                                                                                                                                        MD5:2693D271F2B9F6D14E3AEEF0079C0EF1
                                                                                                                                                                                                                                        SHA1:2EBE522B25B4C183F22A8239221BF3B52AC5FDD5
                                                                                                                                                                                                                                        SHA-256:3B78B3B56306054BF30B6EC881E24FFF29FEBE08DE44EC17294ACDFD2C0F6C64
                                                                                                                                                                                                                                        SHA-512:ABF3258FA8CE7B5A9CAC2AA50CA03D6D7D7D4820692B37407A8B4C6769A4EEB0D921FEA48DD8436B95F6EC8F57FE1D2658625266D468FF895468879B5B9C5B87
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ....................................@.................................0+..O....@..................0(...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.860267420444249
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:96NxhqWD4W52ANyby2sE9jBF6IYiYF8pA5K+oCGUHFAybofRxmAebkm:QIWD4W3Nyb8E9VF6IYinAM+oCM0YCn
                                                                                                                                                                                                                                        MD5:4BF6BE85C36275A13BDFAAA3D9A55D49
                                                                                                                                                                                                                                        SHA1:0E7B0643665F823E6FAA3AE79138103B407385F4
                                                                                                                                                                                                                                        SHA-256:22DE5910AC98140B787679D367B97B4EAE56EE6CBDFCB2790CDBFACC21F58B79
                                                                                                                                                                                                                                        SHA-512:83566A383155FBDB3F39238BE3048C3E95748C9B98DFC1906D6FB525DD146B31FBD79FE705EB14E6B0614F89EBA037FF8D22ABB32CD6EC64DD6365F1DCB8D499
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................E....@..................................(..O....@..@...............0(...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.787583373266895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:zW2KxVSWzQW5g3Nyby2sE9jBF6IYiYF8pA5K+oCGUHFh/JZlpxpmG:UMWzQWONyb8E9VF6IYinAM+oCN/JPv
                                                                                                                                                                                                                                        MD5:8AB3FA586374C8F665CDEA48E03F5E1A
                                                                                                                                                                                                                                        SHA1:497791FAEF03AE27B63231CBFE41955EBB28B11B
                                                                                                                                                                                                                                        SHA-256:FEE7ECB7BEF2EFE3C6B01FA2A79FBBB430E8071DEBA438E4352B1F7E052955BC
                                                                                                                                                                                                                                        SHA-512:74F56813CA882971D5BA4C21EA9545E0C2AEE7689EF1C84FA3731BCA0CE6516920676A6833911FE98DF845E9E36066278739560CF32FAFC2ED22A31F15ED2951
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... .............................._I....@..................................)..O....@..@...............0(...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.724412451599048
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cxDHKWAMWeNyb8E9VF6IYinAM+oClPKIx:0D8wEpYinAMxCVV
                                                                                                                                                                                                                                        MD5:F723F054F62113FDFA44DAEE679AC8B4
                                                                                                                                                                                                                                        SHA1:5279D462CE00635EEC95FFEEF7DB61586A93563B
                                                                                                                                                                                                                                        SHA-256:70A53B0BC7F8EF46BAFEDCF5AB5C4BBEA6F5AE716F9E38AB272A844CB22E607D
                                                                                                                                                                                                                                        SHA-512:FCFE41A357F312634742957781655CFDBAF261DA1F5084BCCAF7E6FA11024FAFC881D42B69925956C96DD441C302F3DFD4E3F1D6481853D5055D75E84DD0D97C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................t.....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.829726456767626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:RLNBEW6pWpNyb8E9VF6IYinAM+oCdT1qeKSL:RbMmEpYinAMxCpB
                                                                                                                                                                                                                                        MD5:88ECE5ECD98CFC34709EB39ED3F8CA46
                                                                                                                                                                                                                                        SHA1:AD0C3D223C73C7CA6D681E95A7480C51517BABD1
                                                                                                                                                                                                                                        SHA-256:9A47E35C14B0B0092EDDE88E669B0CC68388D725FB0A9D2406DBEB16914A8389
                                                                                                                                                                                                                                        SHA-512:D60589ED9C35715079CC2413CB9D31B67FB58A0C1AE9B144F5CB0AC1DEB031EC915B2815BA3A681EEDE2548CA0DFAE834B8D014D25B3F61BB4B900788BA75126
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...................................@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.888134245403728
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eGKkHKW/tW7Nyb8E9VF6IYinAM+oCkNKuTMYO+/:OuMEpYinAMxCWlMc
                                                                                                                                                                                                                                        MD5:15E74C0613513DCA5D4DD727E0DD3207
                                                                                                                                                                                                                                        SHA1:1FE9A68B150B27BA0AAE00D6854ECEA060E19CE9
                                                                                                                                                                                                                                        SHA-256:323BF439BCD5EB7162B8A10C1276E4F78E3C34F45612A7F1B15DDBBB1D7D25E6
                                                                                                                                                                                                                                        SHA-512:65BDA143AB8971A371967DC3C0899531B40EF47BC5577EB10E5BB79F86BAE4195140DB28C7AEB6B41D1A133725A569A56AB9538F881BE06D0732A152CAFA99F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.831431780203924
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:mLnfIWqrW2Nyb8E9VF6IYinAM+oC7Dq1bol85e:mDf47EpYinAMxCgboic
                                                                                                                                                                                                                                        MD5:6996229697B1E24DE5B12FD88D5A5CAE
                                                                                                                                                                                                                                        SHA1:FE47C6768321BF0FD13DC325925EC06955F1DA88
                                                                                                                                                                                                                                        SHA-256:DA8B015E87211DF5DE78DF1D70E24815B03D4439522E22AF45A905F8BC93A62A
                                                                                                                                                                                                                                        SHA-512:43E4D049A7A830C5BE76677A139D812DDF4701A5585AEEDF373C7D08C0370AD8CE9355D6E61C47AAA7A04714780D6A496303792A894BE99C0E51FF7895D8A2CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................?.....@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.676207828645295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB2cL3:fy9eEpYinAMxCA2u
                                                                                                                                                                                                                                        MD5:E9EBB2532A1867B9B03595F877447A96
                                                                                                                                                                                                                                        SHA1:6CDA0FBA52665633A00A02B00B5C68797398A6AD
                                                                                                                                                                                                                                        SHA-256:297A2F95106E444B185C95564ACF7DD345B3A030B968F14AA68347927B7FCD5F
                                                                                                                                                                                                                                        SHA-512:757B7E5187618AD926FBE82C572C1E99BB001A64E185782887378508D54ED1F1A67C0B8E19AD55C6D3BAA82FA4D59E6A8B45F59DFA941511571576026389F86A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ............................... ....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.815870354501672
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:dZhbRtxWl8WK1W5D1Nyby2sE9jBF6IYiYF8pA5K+oCGUHF8x/6DpR5D28fRr:3na8WK1WTNyb8E9VF6IYinAM+oCY43ys
                                                                                                                                                                                                                                        MD5:0200AAD129C7AAB6424AF4B860722FE2
                                                                                                                                                                                                                                        SHA1:463C9AFD695B3D511FF63613FAEA250591BB9909
                                                                                                                                                                                                                                        SHA-256:8D4C5CF6884976BD775F9571CACDD3C5A5D4F5B4111F6F2A166FDD3BE8C73664
                                                                                                                                                                                                                                        SHA-512:36DD447951A0051E2134454DA1D34543094617C00FAC739E888983EE744A8D528C4F79E12C0048BEE3D3C522C2068AB758E06BFCBC0DD667483A79FA86132973
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ..............................&.....@..................................*..O....@..................0(...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.764501115140365
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:oBSWITWjNyb8E9VF6IYinAM+oC3mR692kge2:o6eEpYinAMxCWRbl
                                                                                                                                                                                                                                        MD5:60763BD7655E4488DE99891C038AC653
                                                                                                                                                                                                                                        SHA1:4FBC8805D8F72DA0A550F938479FA27AFB35FDB4
                                                                                                                                                                                                                                        SHA-256:150EBE9FDDB4CCD4DB1E0099A9A8D6DE1BAAFAC0F7485D6B192E1F140C9190C6
                                                                                                                                                                                                                                        SHA-512:87326FE63C93E04741906F9396AB687C7BFC2545B49B2940698ED170CE7CFF9B06E1941AA7CE4657AB7F89DCC2904B6B96E8F48A9F0FA0E00D58EC3EFE8C7E0D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................d.....@..................................)..O....@.. ...............0(...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.876032877580039
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w88cIIWNoWINyb8E9VF6IYinAM+oCJGXu:w9cUeEpYinAMxCP
                                                                                                                                                                                                                                        MD5:CB9B03A1A829DA4BE34DB2D81AE0CAD3
                                                                                                                                                                                                                                        SHA1:581816DA44E007D4E217250C18A37C80CFF60EE9
                                                                                                                                                                                                                                        SHA-256:E074B2D28B6B291D50A26FB826B9F5C0D0FAC9875D0FE376E62D87D74DD662F1
                                                                                                                                                                                                                                        SHA-512:8645955EAD75C37126EAA3F3FC29156383C80ECEFF816666B780BD335564DF3CD9DD031B494B08EB4323D2DE5636C0B05D6E4A80B39E2D6FDD7D3D74CD4C26AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................q.....@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22576
                                                                                                                                                                                                                                        Entropy (8bit):6.6208384922553005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:AkUwx9rm5go1fWKmmW4oqN5dWjaWxNyb8E9VF6IYinAM+oCowXwdpI:vrmoFmWXX5EpYinAMxCbV
                                                                                                                                                                                                                                        MD5:F07970272436BDE14C717AA6FB6EE787
                                                                                                                                                                                                                                        SHA1:7EE8D69F3D623A41EA484A3DF884EC45F5D3E35B
                                                                                                                                                                                                                                        SHA-256:611EBF3B158310837987FDCE1F2081621B5149EB9184E1A64CB7D9441D681FE1
                                                                                                                                                                                                                                        SHA-512:AF2ED31F1564E4F83E1265D1232130E3308F69CDFDEEEE351A2B71461480EB3178108DC466BD3369F917BC7B0243D5AE0CB89813FAB983F08DA25A7F2E9CDEE1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ....................................@.................................PE..O....`..x............0..0(...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18480
                                                                                                                                                                                                                                        Entropy (8bit):6.676697242770522
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsn:gOAghbsDCyVnVc3p/i2fBVlAO/BRU+p1
                                                                                                                                                                                                                                        MD5:775AFBF01588C7589D1BD212228B773A
                                                                                                                                                                                                                                        SHA1:59606BBFE270C902433CF4AE14F7B79A79803575
                                                                                                                                                                                                                                        SHA-256:16D4AFFA6D67631E5B00B563EC9866844615ADA141FBBEFAFDDC76288A11DA3E
                                                                                                                                                                                                                                        SHA-512:1C47371FE6FBCB91236039A386C32FEB46C351C805E9F4E3CA6B67FC65FB46E58362218F2805ACA5831A54234581DB5908A2C75E5A52B1FB918C93A65326D9C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................m_....@................................. 5..O....@..P............ ..0(...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.832534352209227
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:clYx4AW6RW524Nyby2sE9jBF6IYiYF8pA5K+oCGUHFt7kRCh/xl:H7W6RWLNyb8E9VF6IYinAM+oCZ7LP
                                                                                                                                                                                                                                        MD5:CB03FC4364E123ECB3F9EC8C9C0EBD3E
                                                                                                                                                                                                                                        SHA1:5FA9207A2C652B401D7E789B2E9F8115E06A6C61
                                                                                                                                                                                                                                        SHA-256:75258974E26A6F8A5F77C9E37226A019F92BF779F893AC096CF76C11DD53D8AD
                                                                                                                                                                                                                                        SHA-512:F711DCDE1CA8C6441976CD2014FDC81945AEE31BD55A913D1849299D873B2A3EED95777368BF28247C7E1C8391E373A2F743B6493073B0A778FBB91B16B5D663
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................6....@.................................T(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.923044192027933
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:bI5HeWFwTBsW9Nyb8E9VF6IYinAM+oCuKGS:bI5HFwTB3EpYinAMxClF
                                                                                                                                                                                                                                        MD5:0AD9DC0EC16347B1D5C63ECBE30311D1
                                                                                                                                                                                                                                        SHA1:D6017E36A76241CA73170064360C50BE64C07688
                                                                                                                                                                                                                                        SHA-256:A649DA0189A64F11A02BDFE96FD0E98F36A6F39CCF19B02A503D476AB01946BE
                                                                                                                                                                                                                                        SHA-512:41F9FA8D3A1C09369A6DCDE2824F670DD79839AF08C488E3B4B0C3A3683ECD708483B01FC0642D51DBFED28ED50BD316BECEA40D8E08D60BA2D22E48F17E599E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................|)..O....@..................0(...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.893205476830528
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2AJpVWbfkBnWdNyb8E9VF6IYinAM+oCn2+bc:2AJpWfkBEEpYinAMxC8
                                                                                                                                                                                                                                        MD5:9BF8F9A5BFCCEEFAA114EBC6F70808AF
                                                                                                                                                                                                                                        SHA1:6D0DDB18EAD8F7BB12EBEB365638A62A32702C09
                                                                                                                                                                                                                                        SHA-256:2A4AF3551AFE55DFB2A5021648584806E1DEBB6BB2FA5B95629864675C62F108
                                                                                                                                                                                                                                        SHA-512:4119F4DE9D71D56C7D1011049D53D1FE9C2AAE0AD4E6E0D7B772263563E8C015624AC0F42068D781165AFF6818D572A0B7418DE8BE0D27C703DE23B5AD26ADDC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ....................................@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21040
                                                                                                                                                                                                                                        Entropy (8bit):6.543654661703608
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Q8R71h7yzt94dHWFgQBVWeHWFyTBVWMNyb8E9VF6IYinAM+oCRNuk:R1dyAqgQBfqyTBjEpYinAMxCj
                                                                                                                                                                                                                                        MD5:131FE34C147488474B3780ECBA9CA2B1
                                                                                                                                                                                                                                        SHA1:80222449BD692B2B0BC0697EEE10E5F28F5553FD
                                                                                                                                                                                                                                        SHA-256:C98A37553629E21D6282620FBE96CFE5C32CCC599D64D26C10595DF9C7DCB6B4
                                                                                                                                                                                                                                        SHA-512:ADED1960251A4D4F6E79BD07361C1E6C94279F9921707DD719450B32E1DA296DFB4571FF0ADA9E9A51ED550F463F2284AD7F7FDBB185CCF8F34ED162B6477CC0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ....................................@..................................8..O....@..8............*..0(...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18992
                                                                                                                                                                                                                                        Entropy (8bit):6.683203744220023
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWUNyb8E9VF6IYinAM+oCZ8oCLjw:QsPMQMI8COYyi4oBNw4tBEEpYinAMxCn
                                                                                                                                                                                                                                        MD5:2AC6BC6A2D827227FE6CE644FFE8D73D
                                                                                                                                                                                                                                        SHA1:A80FA5323B867297D26B295B91792BC5F5F3C758
                                                                                                                                                                                                                                        SHA-256:25C5204CD765A9CB6086034BEB6323E052F7C4E4FE92D2886727674212DE86FB
                                                                                                                                                                                                                                        SHA-512:3ABE1DB508A5F46CB252A06D58D4097579BDD2D2DD8C498918F713C880C9248E8EDA36A0045AA7102A0693D17C0BDBFCC351896CEE39E735C89ADC4E31205A97
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................N;....@..................................3..O....@..............."..0(...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23600
                                                                                                                                                                                                                                        Entropy (8bit):6.317248152653794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/bhigwLAuZtM66g/Id7WVXWwNyb8E9VF6IYinAM+oCdTtC:/bhzkKs1EpYinAMxCK
                                                                                                                                                                                                                                        MD5:AF91C40C3BD107071976AF46B3CE34A6
                                                                                                                                                                                                                                        SHA1:13F72EE267C47D8B08C1CCDD03F88E3CA56377B4
                                                                                                                                                                                                                                        SHA-256:39285F2D570EF2E8159A95B2BD58F0B43157B33FF3635BA25591E5BDA71EFBF5
                                                                                                                                                                                                                                        SHA-512:002520D27A22D70B2D09AED91B7475F20EF4003B949A4487C4B6E6E96867527B6B94F9E84B686DD18E0F9A82543BB7B472D3FB9D21509A744B2A54097A59D07E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ....................................@..................................G..O....`...............4..0(...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.86896886618503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QUcX6W9aWmNyb8E9VF6IYinAM+oC7y5a+me:QUchSEpYinAMxCmH
                                                                                                                                                                                                                                        MD5:14058F5A666BBFD6BB646E746D5B48B5
                                                                                                                                                                                                                                        SHA1:F31F08C97261D9D09CB4E02BA2EBF53F426C897F
                                                                                                                                                                                                                                        SHA-256:926175A6649BA7C13A8F342EEB65E7417332AA394B8F39965E198B46EF729950
                                                                                                                                                                                                                                        SHA-512:CD4EBF748E0E6B9B632465D54BADA1E6819767133E7C8705BD3391ECCC5338FF6D513720ABD9CFC99FB087120496BE4CC0F440A793C6E7A9473EAC97008CC793
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41008
                                                                                                                                                                                                                                        Entropy (8bit):5.951328363917011
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:zoBj7kS+8mjvHTeaWKs0Sd4eerEpYinAMxCpP:+Pmb9WKs0PeeE7Hx+
                                                                                                                                                                                                                                        MD5:CED72FC79E6D4FF16B9A76728887E509
                                                                                                                                                                                                                                        SHA1:D687D052C038FB471D7D6D46D8DBC73CB7A07067
                                                                                                                                                                                                                                        SHA-256:7E0006F103956A9D641B2DBB9A47E3B21C91F5190C5624C2AB4B846FC3F451C1
                                                                                                                                                                                                                                        SHA-512:562DCEA613662A0321F35B77C9969162F52100BA2C0D8DC400F8BC0A428A52FAAE6D286C06E32C648EEFB4A26FADB2C569C69E6077DB6162F1C98C80C799D056
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ...............................?....@.................................u...O.......8............x..0(........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.896928440934084
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zTI2pWPzWKNyb8E9VF6IYinAM+oCWxypAkr:zE3bEpYinAMxCpphr
                                                                                                                                                                                                                                        MD5:DA2F1512E50E51DB617CFF52FD28D01A
                                                                                                                                                                                                                                        SHA1:F91665918E0614A5C5C3B80DE3A9D802E1E95708
                                                                                                                                                                                                                                        SHA-256:2048F20BC6E12BE1BF7FB2E069574B6FFC98575AB47F6951CB2C5ABB653DAE68
                                                                                                                                                                                                                                        SHA-512:5BB5A158C28E1E49A3670CD214D316629F6F90B0DF9139D5ECF82ACE69604A3F16B9CC0A14C1B838C246EA7DDB51549A4E8A86435105B69D9B1C68051EE654A9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ...............................D....@..................................)..O....@..`...............0(...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.910345815931198
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:icezoy4W04WFNyb8E9VF6IYinAM+oCmpT1O:iBzoy+DEpYinAMxCd
                                                                                                                                                                                                                                        MD5:169707A3381CD292BD7292A4B9D1C2CF
                                                                                                                                                                                                                                        SHA1:CE776869CE9BA7E86CC79090D33D681179BFA205
                                                                                                                                                                                                                                        SHA-256:36AFF4C1AE832E79382C27316A537F7D763B1A5D7CBAF7459AA58BB3D820AA8B
                                                                                                                                                                                                                                        SHA-512:AB905C75BB2ABE4BB9089017F10A693B4807C130135BAB4200674E2122880577386639BCBA30219D858A036A7E3529A6A26BB0ED1240473B2424E8040B6547EA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ...............................z....@.................................,)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.798868146749093
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cWgHWexY+WKpW5ryNyby2sE9jBF6IYiYF8pA5K+oCGUHFjekeA4hVe:CH/JWKpWwNyb8E9VF6IYinAM+oCXj4a
                                                                                                                                                                                                                                        MD5:7C7ECA9268D236DBC3D38D1BC35F55B3
                                                                                                                                                                                                                                        SHA1:C55649A5E3640D6B84FF2E6C81380BCD185AC382
                                                                                                                                                                                                                                        SHA-256:76FC7D0D1E6D3E2347B2BA45CA1AA524173EFA515FC01432B3EC835F7698C94E
                                                                                                                                                                                                                                        SHA-512:848FE242579CDFEF65D6081ADD4D84E29FB8BDF97DF0DA4FE7A0D33B635DA8D3D5E4A47D6D02229D7F92BF73836DE79C0A6F1E37A36063EB56B3D3F38F96A8FE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................G....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16944
                                                                                                                                                                                                                                        Entropy (8bit):6.745446603238014
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZTjbocNsWMhWbNyb8E9VF6IYinAM+oCtLnN1V:dboYy8EpYinAMxCt/V
                                                                                                                                                                                                                                        MD5:7693637CC6EF9E68E36C7F4077AA380B
                                                                                                                                                                                                                                        SHA1:8930E57AC50545B83424D57190020B09E851AAC5
                                                                                                                                                                                                                                        SHA-256:25401F34A2134DFE37753C88C3EBC0DE56FF2AB7129C39561465C1BE2CB25AEF
                                                                                                                                                                                                                                        SHA-512:61D7BCBF6C44DDD6F0DA80B3343623E6D2945EC23BDA018242CE362B15D2212F13B14D0CAD71C0D242F8B3CB0A54A0338B16FE81793FAD20E4903EBBFC521319
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................*.....@..................................-..O....@..................0(...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.843058770096932
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:c4fExAJsjWVWhW5W9Nyby2sE9jBF6IYiYF8pA5K+oCGUHFvpHIq8aPQp:jSKiWIhWCNyb8E9VF6IYinAM+oCLp8pp
                                                                                                                                                                                                                                        MD5:C2533F5E37D64C4CCE5C8D4BB95C4D46
                                                                                                                                                                                                                                        SHA1:FDA124A70A00FEBFFCF3FFDA41B6EBDFEF9409E2
                                                                                                                                                                                                                                        SHA-256:5D6DFB62B1C8612F34051D5C97A9B1724632C4986A1E7DC457A4E5E343B2C773
                                                                                                                                                                                                                                        SHA-512:D1DEA8C559007059A853AD96774B1BE0ADD20AD3964BAA2BA8CDDCD0E139D3B7F90108DF386B0D7C738EEB438E3E02E9EFAB5E98F9DC39BBACD40077FE2B5A2B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................t(..O....@.. ...............0(...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.7905252400346585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:UT0KbZWApWmWTpWeNyb8E9VF6IYinAM+oCkp8ewd:UIKRylEpYinAMxC3fd
                                                                                                                                                                                                                                        MD5:CACA3160EE4426170E66FA0863F229E1
                                                                                                                                                                                                                                        SHA1:28A6611F8263E342AA23812A74EBE20CD9B8C235
                                                                                                                                                                                                                                        SHA-256:DDB20FDAEF5F18C2D7DD591A6EBF8EF6DA437FA69ED8CA100545C7D3E7D2B5BE
                                                                                                                                                                                                                                        SHA-512:B0A344EAA2C7C8ED8C63F07370D592D9B16364029FB5608EDF5E1B172C1539C8E1071A7E56BC7513832D55A8AE5A96B1A133FBFC4968A4340A51103E88E0C490
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ....................................@.................................>)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.874303280973402
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ub1nWCXWzNyb8E9VF6IYinAM+oCnY3chk:G7SEpYinAMxCa
                                                                                                                                                                                                                                        MD5:E53EFE89896BB9F08203FD90DA7BD38B
                                                                                                                                                                                                                                        SHA1:C59907873E91FA42A65137437D01A3A327DA4438
                                                                                                                                                                                                                                        SHA-256:E1D577ECD2560E125DFFE2D4FBA81B75B4EF4E09A385957069779F945CC85280
                                                                                                                                                                                                                                        SHA-512:44B3003FE9C5742F5B597DB51C9369D910EB1F270CA25B8FFFC107C87E1021F59907EBCA4D1CD72C40DEB921E91481C7DE2F66365B08FDF932A4E7DC8B0DC278
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................S....@..................................(..O....@..T...............0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.7756158533202395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:vTyW7TWWNyb8E9VF6IYinAM+oCRr9Y1z+:LfLEpYinAMxCYC
                                                                                                                                                                                                                                        MD5:E5C57CD7176B3BEE7D9452B1C212BC96
                                                                                                                                                                                                                                        SHA1:ADF073E730030D28051B378E4B9B1885E9792256
                                                                                                                                                                                                                                        SHA-256:93DFE34B332B853F3244A35794F2446C8D1AF9998572E18B2C66EFB91408C201
                                                                                                                                                                                                                                        SHA-512:A6CADA7FA2FCAEA2F929BC3374CFADE04A5B85CAA357BD3969F1546B55C285DC0398204E5FC783CB439130D134E0C61623A16F818DB19687F8FB300C0684A681
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ...............................z....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.9090433068080275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:V6Rb32WVzW+Nyb8E9VF6IYinAM+oC0R1H:sRb3dfEpYinAMxCC
                                                                                                                                                                                                                                        MD5:3DB50CDA65D7FB3624A42C32DC7F0788
                                                                                                                                                                                                                                        SHA1:4706E50247AB4ADB707D62A7EC983056020555A6
                                                                                                                                                                                                                                        SHA-256:3FC6D41341952107FF61281301E9151CC8698B2B639CDC702DB7892DC1AAA52C
                                                                                                                                                                                                                                        SHA-512:365B5CCBE40A3B7D34C0C4A762B14010735B5B4A41EBDC77553F6909F175342ACD68243042C07940355EAB6D32422E4912700DA96721337EFC69802FE907B29B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..P...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31792
                                                                                                                                                                                                                                        Entropy (8bit):6.536607270841918
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Du5I+sqOylryry8qqIfUc7a5FEpYinAMxC6Tw:DYIVBpry8qqIfUcm5e7Hxzs
                                                                                                                                                                                                                                        MD5:538B08D8E5D718AE71BAD5A3D3CF6C94
                                                                                                                                                                                                                                        SHA1:6B9D97968FF9BC1B83DD4E643553074E90F41C28
                                                                                                                                                                                                                                        SHA-256:4B04CEE0628125C0377B31D2AA321F0A6F6E2EABDD40C0BD99DFFAC0673F3EEA
                                                                                                                                                                                                                                        SHA-512:73D76A5A5D080B0E09363AB38785EDEAAC67BC0D6C00199E683910D2C3D2B7304C394AEA1848547688A592CA466AF7E943C36C6307249A3E9D3E099DD48C2ADE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ..............................DG....@..................................c..O.......x............T..0(...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.877555047522914
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Bvn4HREpWiQWRNyb8E9VF6IYinAM+oCeWDJLzS:+SLEpYinAMxC/S
                                                                                                                                                                                                                                        MD5:688CD6D90CC4D2E0F6A130ECE1FACAB1
                                                                                                                                                                                                                                        SHA1:D2B46B07262A3BBD38FC009456B1536B213F5095
                                                                                                                                                                                                                                        SHA-256:8FA61D74E08B4542521D4D50BED918EDBB5E504AAA649E4AC126779DAF4E504E
                                                                                                                                                                                                                                        SHA-512:204EB7BC0485EC5C432088D2F4005BBDB221D0C4E1ADE70C3CE2F685D0AD5770870C04EB8DF9531B1B003FF9BA4BC2C63DC1630816BD9681FB56A50DA32AFAAB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................eM....@..................................(..O....@..P...............0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.774196906426326
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:v8MjKb47T3UCcqFMkJ59WdtW0Nyb8E9VF6IYinAM+oCo/M5:kMjKb4vcGdOfEpYinAMxC/5
                                                                                                                                                                                                                                        MD5:27AF9489A77495A2692D49E95B8F1D98
                                                                                                                                                                                                                                        SHA1:0B1D6BEABEB9079213AB0D6DA86CAE1100D0FCB2
                                                                                                                                                                                                                                        SHA-256:3ED06370BF9C0B1A41DDFAE104EEC32F11F66926F6C1BB3D2053AF1F4648FFC6
                                                                                                                                                                                                                                        SHA-512:D58702C87A4E961DA8DDF59546733C2855A1ED6F6DB334661927E59E3B4E9A59A56824B7E022D60112FD48CFC737CF68CA5F5EF33FCDFE8E2BF34952E81B5896
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................M.....@.................................`,..O....@..................0(...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.857245131328711
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:EzyNXd4+BW6FW9Nyb8E9VF6IYinAM+oCDYh2uVTA:5zKEpYinAMxCcfA
                                                                                                                                                                                                                                        MD5:84E1CB538F2150601126F664F634479B
                                                                                                                                                                                                                                        SHA1:A738F801214D9E81E10938B8EEB3457814CD50A2
                                                                                                                                                                                                                                        SHA-256:94CE090093F9A6C10B138614A0D57ABD7000C23FB118905C0E00A7132F1D6990
                                                                                                                                                                                                                                        SHA-512:F9024C483AC145303AF496CA84FCBF54BD7079266EEC2B2599F9DE86A1BFED731CF807919ACB0345F2B44680EB6DEE83312B5C8887BED8ADD1DBCECAD456D8E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................<_....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.863897497502461
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gvs2Q3HKJNrWWRWS6Nyb8E9VF6IYinAM+oCm8lwE:guMmEpYinAMxCPiE
                                                                                                                                                                                                                                        MD5:723420ED3393D954FB8A33CFC95F7098
                                                                                                                                                                                                                                        SHA1:61901C9288F3B354643FD62FAAB1F1D25F85BC10
                                                                                                                                                                                                                                        SHA-256:9F42B6267CB4DDCC90E7FD2FCD2C423C074BAB7402DFC0332C548DD87E1887B2
                                                                                                                                                                                                                                        SHA-512:C31DA6A702E77D2B31CCB55A1DFFE5DA903DCADF5145416C0ABA2C918D9BCD4E56F6FA961E856224C45A97C0BCA5A4B9F993498F49013842C3ADD43C2E5DD212
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............0(...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.829635354773763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QFz0Q6gcqRhcsMWdMWtNyb8E9VF6IYinAM+oC9Jt1hkp:QFz1c6jEpYinAMxCLxg
                                                                                                                                                                                                                                        MD5:C38B8242373BC54A1CE53B2271EE53A0
                                                                                                                                                                                                                                        SHA1:A5D2E06B1C8413325998D080AC935C207FCF21C2
                                                                                                                                                                                                                                        SHA-256:D3058087C594565F615803F454D9E39533E12A089DC26AA62D5D2DD9885153F6
                                                                                                                                                                                                                                        SHA-512:4288F69D514C833C2D6C851FC30FA7262D5F3C30E5F2DE2CE271FFEE7F5D43610B6A3688A73FB2524A3949B169814195DD5C6D379EB635B2F741AD99588C7865
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...................................@.................................L(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.723766249793486
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:96xWA3W4aW/NWgNyb8E9VF6IYinAM+oCIJs0B:9aBbEpYinAMxCa
                                                                                                                                                                                                                                        MD5:7FD709C698C4096B3D115A860BBC5B7F
                                                                                                                                                                                                                                        SHA1:5C4B0725DC6FBA9359CCE7DE23C2F9EBFB61BDD1
                                                                                                                                                                                                                                        SHA-256:A465222CF8A4C464E5247C6D07C3F7EA22F48C9ECF266AD942FA07E4956F4204
                                                                                                                                                                                                                                        SHA-512:16C0D7D48C2F56614EA2C9A71E730475516065BE38A679EC58F17A47A112067D6473E190202F3A7FDC52EA0C0883A07CC44D24E22B3CB70326F1413AFDBE894F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954765955203869
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Y784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRy:Y7N1r9KGI04CCARLy
                                                                                                                                                                                                                                        MD5:EA41EDA99391A64C120A49E9A7B91811
                                                                                                                                                                                                                                        SHA1:FABD435621BE2F3EEC6D48ED1046E4DB23FBA540
                                                                                                                                                                                                                                        SHA-256:1EE33AF829CF9FDA86DCAB82CFE9E24A32BBD5CE63921F6C67F0F63B481CD4FB
                                                                                                                                                                                                                                        SHA-512:348B94CB4C352747E7448FA568D3BBD36682487A95D9DB2204B24D2EB5CBC67EAF87D2CCCE89CD9143882EA0F3EA6D146EEB93A1E9DC6320364D17C7728EC78D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`...... .....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.853246150275349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Er97WquWeNyb8E9VF6IYinAM+oCkp91xN:ERJWEpYinAMxCe3N
                                                                                                                                                                                                                                        MD5:20DB2310CCE6772B101B2346F0D66C8B
                                                                                                                                                                                                                                        SHA1:1E63CD8E7315BDDC1026239EB686FDB5F1AE8164
                                                                                                                                                                                                                                        SHA-256:B3FC0B34EFD73E3E8F48E56F72B9D7F6DD83C41E6958C758F457EAD82C73B84B
                                                                                                                                                                                                                                        SHA-512:3666BF918F0AC459D432FFDD9C14256621FF0D71B86E90C40ED39FDAA5E2FCD462D7D17C6894C03DBEB0F869E73A1BA753558EF6286DED42F91AF2EC8634C164
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................4.....@.................................\+..O....@..................0(...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.796004255126891
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:c1h2uxSleWLDW528BNyby2sE9jBF6IYiYF8pA5K+oCGUHFMsl22A:w16eWLDW1Nyb8E9VF6IYinAM+oC4t2A
                                                                                                                                                                                                                                        MD5:0EE23CD6E503593A3400D16A880F7C13
                                                                                                                                                                                                                                        SHA1:9153C658DB9E5069E1064066598B9B2DB0BCBDAF
                                                                                                                                                                                                                                        SHA-256:35F6AECBDC2A790EE538E2EDD5B23431EEF376FFE9FAADE9A2DFC93E6FA1541D
                                                                                                                                                                                                                                        SHA-512:818FAA10D07C4B53CA680580D6F5DFF86D9985B13814841908AB63FE1ACA404294A30109B5DF16AB9ADA0045675CA6C8F356D4162979A43056B6E82F1BE91514
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ..............................W&....@.................................|*..O....@..................0(...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16944
                                                                                                                                                                                                                                        Entropy (8bit):6.786559582232923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:68G4YC2W+wW8WpwW3Nyb8E9VF6IYinAM+oCPaL:1GZ5ZEpYinAMxCg
                                                                                                                                                                                                                                        MD5:657D075104BA442426EC0A7AFE1F0FDA
                                                                                                                                                                                                                                        SHA1:B623C8A162B946C251C26049F8CDAF532212F8DB
                                                                                                                                                                                                                                        SHA-256:2F89397F0BF17A66C6D3F8646677C635BC74C886D98DD70012D95F6BD56D9D0E
                                                                                                                                                                                                                                        SHA-512:E4E8852ED5573E723254FAA3D2E55A00C4DEF6275FA1B36665C51EAC444DAD9CB566E9CF2949CB2BC0289ECD0CFF5A8C119B9F02F053544D8975935F4F573958
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ..............................W.....@.................................z+..O....@..x...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15408
                                                                                                                                                                                                                                        Entropy (8bit):6.898265155274898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:N6ziqTEkGWvRWpNyb8E9VF6IYinAM+oCKPzl:NYT1yEpYinAMxC0h
                                                                                                                                                                                                                                        MD5:679BA5E3B57D62F3AC695630A066C64B
                                                                                                                                                                                                                                        SHA1:E9BA89E63690699B774915833B12738D634D70A2
                                                                                                                                                                                                                                        SHA-256:64C4854A8CE1E6935540D4E8FE12CA5EE8E952A2E409BB5821C2700B5FEC6062
                                                                                                                                                                                                                                        SHA-512:7214FE3D47A9D733A5E02F5EF87D4FCB69BBA7313213143E3C56DF66C97BFCD257F21181C4A2222E512FA5F5E4EB0E87E5D23090CF5B2449D16BC42E20F513E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................D....@..................................)..O....@..................0(...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.8103116939703945
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YUv7c7iWNCW9Nyb8E9VF6IYinAM+oCILT5Tb:YM7c1VEpYinAMxC0Fn
                                                                                                                                                                                                                                        MD5:64D1B67423F6C8EE6D8612DC727DE842
                                                                                                                                                                                                                                        SHA1:B8F766D3BE3F4AA607945F4A34AF0F0EB8038DA2
                                                                                                                                                                                                                                        SHA-256:C3EDF0F04C7B994628AD732CDDAEE0B5E93097E5638EEC510082B7B9C007EF9E
                                                                                                                                                                                                                                        SHA-512:5236B5F9E68827C0C85B2AC68859C3884821B194884F81C1A472BCB043E4F84DBDA52E2D7237CD2DDB542339070DE6C84C9014CE6A1274D2CA0D1A3A311FC95A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................2.....@..................................*..O....@..................0(...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15920
                                                                                                                                                                                                                                        Entropy (8bit):6.85387595688575
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:J+vxmNWnRW5x+Nyby2sE9jBF6IYiYF8pA5K+oCGUHF8C8cbmwF:MSWnRWmNyb8E9VF6IYinAM+oCIQBF
                                                                                                                                                                                                                                        MD5:861F1D0A0700A51CA1834244E23A47F9
                                                                                                                                                                                                                                        SHA1:A260DD223449DA3D7647EF74548E84719FBF2137
                                                                                                                                                                                                                                        SHA-256:B31397D061644C6602102BE0E7F236569C581395931611C92DEBB49593D0DBAC
                                                                                                                                                                                                                                        SHA-512:29F733F148867B0B55BC2B25E2DD3D9746C5D61626766B3FAC538E750EF1739C2309688FE0C7EE27CD092087145FBC719EB8C2FE380604C5B5B513FEA544CB15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ..............................\.....@.................................L+..O....@..$...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2355
                                                                                                                                                                                                                                        Entropy (8bit):4.983519993111317
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:PQ/s1zRs1ziVNn7pItUdSl4s1zRs1ziVNn7pItUdSc:PQ/gn/7p7Al4gn/7p7Ac
                                                                                                                                                                                                                                        MD5:958C015A020F73540B8EBC7AEFD4808B
                                                                                                                                                                                                                                        SHA1:D41EB818E3EEF5622EE4C0FDD54A50C7020DD68A
                                                                                                                                                                                                                                        SHA-256:8F8FB399FD6B4E486DCC2753A6F3B8D743A953CFACBAB3AD4C12A92D84D75F2C
                                                                                                                                                                                                                                        SHA-512:99CAE78F46993106FEE137D5A0738CE0FD19581A69111E37CF56272DC42344959DB171C15CA7375680BCBD1986766AB9F99DB3C4D38FBB4C3528F4215A3C0587
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-08-05 16:19:12.0394|ERROR|AgentPackageOsUpdates|Error executing command, args: getlistofallupdates..exception: System.AggregateException: One or more errors occurred. ---> System.Runtime.InteropServices.COMException: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it..... at WUApiLib.IUpdateSearcher.Search(String criteria).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WuApiService.GetUpdatesByQuery(String query).. at AgentPackageOsUpdates.OsUpdates.WindowsUpdates.WindowsUpdatesService.GetUpdates().. at AgentPackageOsUpdates.OsUpdates.OsUpdatesRetreiver.<Get>d__2.MoveNext()..--- End of stack trace from previous location where exception was thrown ---.. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw().. at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSucces

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92720
                                                                                                                                                                                                                                        Entropy (8bit):5.484731092201892
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:u2Ec05j4eAH64rh5fSt5T9nFcI94WX7Hxpb:dlK4eA7mDmWXvb
                                                                                                                                                                                                                                        MD5:46805C5101DEBB9EFB06CF21CCBBB502
                                                                                                                                                                                                                                        SHA1:E84A3D28B002F70B346B49C452924AFCDFDBE151
                                                                                                                                                                                                                                        SHA-256:FFFD8634C2687F4B893563A98D82C7A558A0D0E66670CC2D2094526C45485A4C
                                                                                                                                                                                                                                        SHA-512:B40F703C7BF1AE6C75AE50BD2DF1A3689B06F9613B67C339F74B3FCFB555FB2FABA253D7A59A8FAC754E27957E690588EFDC27C231D40C4781DD30704E181867
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ..............................Ta....@..................................U..O....`..,............B..0(........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2724164
                                                                                                                                                                                                                                        Entropy (8bit):7.999912898579675
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:Hbodta5BkD1r2fohJOLuNcFtcrdovt8AB6rr3iNYVmX8D6TJ:Hbd5Bk5KW0LuNotWdoF8ABIrlVmXd
                                                                                                                                                                                                                                        MD5:3D2BCFB5362D3163DFF5AAD8D4355B6B
                                                                                                                                                                                                                                        SHA1:0AA893A5F37796322F9B04CD05ACBE77F5D0192F
                                                                                                                                                                                                                                        SHA-256:3C01C6BBEB019AB146832A3BCA1114BE64CE9FD24695403E510026D4CB5E0531
                                                                                                                                                                                                                                        SHA-512:BA2F1EE4FDB0A410DA4096385FA8B0D0B6FEE7B8D6D70A800836DE74105EBFD39865D94133189430CCD3F2AD857BE59A20381E679D8E39FDF3FAF5C580A3627B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......K.X..N........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....0........c.......*\=[)o.{.U.'WP..)....d$..,2yKF.?.AJ..C.P.....e.5d...Nu;...-?............D..SW.>...(xo.g.#].g...!..eZ..I..6.Y....GL......I..S......p9...U.."......:.d.U..;....t.>.....}>Ul.?.F...4]..X]&...J...nS..#.....].a-.....N.dTjc..%.@..'..C/A.d..VK....=..=.H...Z2....K......`.SU.7..5..XUwSWo51E.D&6.......B..0..qe...Q.%.f../....R.Gi..ot..kh..h.c........&..He=.+o......yQ.......7t..D.F...._...6NZ.D.......`..\...([.?.......f....b/...a..:a.E.D3?...3..U.....-9.-...]...3._...;....{7..Tc1.;f.{....}...%.u..F.n6W......w.}.BF...H-g.7......p^......(..E.5.F...a.1...).'.$.....sDr7...eB...O.x..I..1u7"<M95U.L1?......&.1..r...*.\J....mo._._.Wp..%.Ez.y....-.S.W....y.. ..i.o.....t..`..v.........y0.f(..po.y].....$..ab..0.|.fr..v..W9.yf...".y...Pj..C........Q....%..P.y<K.W.d..>.Q>.I.w..aX_ji...,..R.!] .Sf.5..s$.0x(.f+C#...!...d....d........;...!e...%..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49712
                                                                                                                                                                                                                                        Entropy (8bit):6.240849908552794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:d4O+adkjpMrpZg9aqAehp/+IlOqYPKBtYcFm7B6K9EpYinAMxCue:dN+adk9yeaqAehp//UJSxm7Bl27HxDe
                                                                                                                                                                                                                                        MD5:312BC61FC5CD8B03DB544296DF4A2FCF
                                                                                                                                                                                                                                        SHA1:45AF614002E1AE8D2758B24B0C6ED5BAABE0A6C5
                                                                                                                                                                                                                                        SHA-256:6E822586439A336CBF9191A6302A59212D817B899B32102C3818A9B346265724
                                                                                                                                                                                                                                        SHA-512:F6866D01A24271B3D36C3B52A9C71D508ECF229973EA42E2A2B022BC9944E54A2338C127226046081C7EAF2F28AE80F25ED0EFCB8BC5AFEB209897B3D088EF89
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.........."...0.............F.... ........@.. ...............................<....`.....................................O.......................0(........................................................... ............... ..H............text...L.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................(.......H........I...V...........................................................0..........(.......(....o.....(....r...po....o......o.....o....o......(....s........s......s........o.......*..,...o......,..o......,..o......,..o.......*..4....W..b........O..n........F.2x..........|.........{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..( ...*.0.......... ....(!.....i./.*...............&.........E...%.. ..o"......r#..p(#...,.*......s$.....s$............r;..p(%...,/

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):776
                                                                                                                                                                                                                                        Entropy (8bit):5.037356665456624
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VYF9LNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:JdszvPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:336CAA70D9EF388EDF8B234E5FC40CEE
                                                                                                                                                                                                                                        SHA1:864CCB7643FC99313E5ACBEB59D608CD179E01BB
                                                                                                                                                                                                                                        SHA-256:9BB07566C5CEAF46CFC1164A63553BB3C00AD8A04138211C6EBA81B60F4FE355
                                                                                                                                                                                                                                        SHA-512:EB037FF55C7D61A4170A9143B7BA40CC43DDBC9E8DF673D7AF03548C27C4410F53A5CDFAFE8942559B9E5061419512F3C8FAA5A6D32ED147DD33F832CF43E637
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXWg:WBV
                                                                                                                                                                                                                                        MD5:E4CDD868A064A7591198586C88F1DEAE
                                                                                                                                                                                                                                        SHA1:F08F61ECC28E76A2E1BDCC85F730DB49730FC558
                                                                                                                                                                                                                                        SHA-256:87ECEA8648BD9D81A90CA9CCA1E81632C0BDD22741A6E7BFC9D9567FF8A8F825
                                                                                                                                                                                                                                        SHA-512:05E1705DB1026F444B8469784197A7050AC64808013574B9C191BE36FA3A5EA0618483D00D50AF1AFECF467D4B42DC13CBF0991F41CE5817F88F5F7EA4D6B30C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=23.1

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.1799265880352285
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:lJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJd/50vks00UfafgVU7HxLk:lQUm2H5KTfOLgxFJj550vksVUfhVUhk
                                                                                                                                                                                                                                        MD5:75CDF9CF1A702567E3917E44EAC1257D
                                                                                                                                                                                                                                        SHA1:DFDF03DB036281FA08FE2EC3BCC7E13B8D2B93ED
                                                                                                                                                                                                                                        SHA-256:5D76FE832069BFAB55BC9BE685D6D67C561D23E6BB8A00335706F944875299D1
                                                                                                                                                                                                                                        SHA-512:CF842B1D012FC49FE0F866BF533AF671BC4B125C164DD07771A987AB7BB07F919DA38074F8D1C820825A3C4B00A2B49F50897CFFF57D61BD61AE75F8BB1A5753
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960406134027025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUf:hBA/ZTvQD0XY0AJBSjRlXP36RMGm
                                                                                                                                                                                                                                        MD5:1FA4866F80381D14F3554FE7C6C79AE4
                                                                                                                                                                                                                                        SHA1:08825442D495BB16FDA1FF0A6C10A58579D807D4
                                                                                                                                                                                                                                        SHA-256:6B1810528BCEF65B72BD67C838C93FB50FE817F70D49DEA1665CA437CD863E16
                                                                                                                                                                                                                                        SHA-512:F4CE2FE9374901AD752611BDC455F9FE8AF8628D9A49A38F4B21039B754E1E3F79DD88777432168ACB11813EB8A487DF6C3264BD6C10A251BF88FCD0FE4C9A0E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49712
                                                                                                                                                                                                                                        Entropy (8bit):6.178262247146794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:oUb7msEq0sOTNB2QokXVRICX1H3BxzW5rEpYinAMxCz+:pb6TNoQokMClXBxiE7Hxx
                                                                                                                                                                                                                                        MD5:AE1B52580696F8CA48BF7572873E0F91
                                                                                                                                                                                                                                        SHA1:3E0DB1C7455B02C5C6D43FF43A83685E70AD30C0
                                                                                                                                                                                                                                        SHA-256:F9081F3C25DD1F21904D7C46211ABA7385D3669EBD111AB745E02B74270A26A9
                                                                                                                                                                                                                                        SHA-512:EB6FB491B898E0CA47F244B43ACF6155C49718FA57565614175C8EEFC3C348C7FA437195A8FD9C67B3141B75FDDD76E1A7012AAE4C8E82E2DE41A9960B31D8C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................<.....`....................................O.......................0(..............8............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......8K...c............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*6s5...%.o&...*...0..........s......r...po....&.r...p.(%............o....o....(....o....&.,..r...po....&.(%...-f.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):665
                                                                                                                                                                                                                                        Entropy (8bit):4.979299454183443
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGzNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:JduPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:E4FEA3E49926BC04C6884EF34B7442AB
                                                                                                                                                                                                                                        SHA1:CF4BCACA49C32EAB01ED294DE042C45FFBAB79D2
                                                                                                                                                                                                                                        SHA-256:C17F20B16AB91B512C0351E6B4253250685434B45AD22A65D5BD7AE9BBA10EE6
                                                                                                                                                                                                                                        SHA-512:9B2B73091074BFAFD51D8ACE82A7BA8065A16ECD3EDEF39E87E62CB3C18F2B336305BAFB53DED60A8C8C91E385F7900185CC590324F0089586FB51D3DAEFE4D3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6655024
                                                                                                                                                                                                                                        Entropy (8bit):6.267137486268824
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:hCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIwww:xlV1qKpkfqbjeGVr4NHYJ60Bww
                                                                                                                                                                                                                                        MD5:216C05D87383192FA44E6EBD99F2C5A7
                                                                                                                                                                                                                                        SHA1:18ACDC3005C9FB2B497764450ADC1D82922C0B7C
                                                                                                                                                                                                                                        SHA-256:2B774D6CCDC6AE658FFA9FBE5DC3DE7FB4FE065C9690DE220946E3CA96BEA38F
                                                                                                                                                                                                                                        SHA-512:4745F6F73FCC03E30B53C13ACCCCA55E8B32A3C686A56D2E857928C2C5ED290EAC7616C0A5BA1FD949A1ADA4A3712604E350A144545BB0F4701B62B36F742882
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e......gf...@...................................c.L.....c..............de.0(....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):280624
                                                                                                                                                                                                                                        Entropy (8bit):5.691401253212004
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:oG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhCN:oJrycoB3HVeESME3pnaVTS1nh7hCas
                                                                                                                                                                                                                                        MD5:891D0EAED064B8C535A5A70624ABFF3C
                                                                                                                                                                                                                                        SHA1:2C2D2C9980FA6FB1BC03DD37150171F2A4CF6F5B
                                                                                                                                                                                                                                        SHA-256:FBC4E3019044626CFEF42ED4339B6145BFF4BBB654E576E3946B6CAEE351B1E5
                                                                                                                                                                                                                                        SHA-512:9C3A667933B31CC5E5EE378B9E0C983B74EC9A3172B9B7CBE41096B50642F9A63084622B9993BFF6F00777A171B5DFB2521814B3B34D058FC65613B9838508B8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`......@.....`.................................h...O.... ............... ..0(...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1185456
                                                                                                                                                                                                                                        Entropy (8bit):7.999660178690134
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Ssoja9MaLduouhVlf0tyv29r1+IdjkaCgs54gvUokF4fEFBb:HoFOJuhV+tyor1+I+aqdM2MFBb
                                                                                                                                                                                                                                        MD5:6C6F85E896655A6EB726482F04C49086
                                                                                                                                                                                                                                        SHA1:2E0C55CD4894117428B34D21A1D53738FCE4B02C
                                                                                                                                                                                                                                        SHA-256:E109400A93FEDE90201BBF37C1868C789888BCE9D03A4AE5B46C48599939C34E
                                                                                                                                                                                                                                        SHA-512:B58303C149DEFFC9E374D5BA42A8A73B7CE890D35F9589FE0B09ACEC541A21D589D49FA5086B965277FA22DFE308357505124F13A6FF1E0DE415EBC40CE61E15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....J9rX...........=...AgentPackageRuntimeInstaller/AgentPackageRuntimeInstaller.exe....0........g.........^ ....,/_.U. *t....H......Z.X..x#...?....(/.EH.....r.l#.6.......76.b....u',4%.Y.br....W..VcO..[b/.....(....."I..u..S*....../.x...j.5.<b......n.v0.. z'M.....w.. ..qu.<...w...[...9....F...D..+....o....!..1I...^=H1.{.:=\...#V.]...1..)F.s":$.g.H.p.'^....K.F...3..}.......[J....xD.........._RB...... \=b.<.u 1k.Y....&.X.).`>M9.$H.].>t..^..!....}_.H.....h....uT.q..cJE.M... .QG..+?.gZM...G.9x.T.q..U..... X.s.....{....F.G$..$.A.n..jz]=.qi!U..4.>.e.7"..].O.F..XdciK..d_0..H..7rHd.jj.L.v6.< ........2.8....8.mc_.(!...\u...mY.........tv.e..,'..E......l..s`... s...W.Sx9b..Dnc...!0_..T.y..%r..{..E;....v"ce.K....{...).B....:N.H$..h..F.......Y.8k.....M....~9..X-M....f>~t..*#..R......6M....f....>-b.....W. .S.WO.c".>.....+iR..w~.u...6../..J..^&...K.BcQ.Fy....<.O.......P..y..#5:l.4.......~........g.:W...1.p7...K...n{.9~..c.h......NT.5...w........?_>XJ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-32.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28281168
                                                                                                                                                                                                                                        Entropy (8bit):7.9983115885511795
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:393216:UcIh/CM3n8W1YXQKhFPo4ryearUIODSHNBDGy+a5XkLidmzbGuNpRtDsX0O87itv:Ufh/CSLqJQ4raJxFtkLiMTp3DnMtvQA
                                                                                                                                                                                                                                        MD5:586E5A9D36156CF316806527CE9D2177
                                                                                                                                                                                                                                        SHA1:AF1021F2D0A4647D181EB3A0FA8F75ABBF5A43DE
                                                                                                                                                                                                                                        SHA-256:381D234CE8D5692A4DF2783895C2316ED6DC96F4BFC8E62D91A7DFC0E0CC2EB3
                                                                                                                                                                                                                                        SHA-512:E46FCBF574776ED1859296A18734AF102A921E8AEEC0069EE94BC8F24D4C69AA28B1B15DCBA3754AC1AD3EFE099C82BC4653942931EEEB854B2ED0684D52EA85
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@.....................................@.............................................:...........`..H)...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55344
                                                                                                                                                                                                                                        Entropy (8bit):6.139210251385105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:N2Xj3YqBmARWhNqjxcVqnOvdBsqW/BCiFl0scb/MV7Hx/:wX5BqSBjb0tb/MVJ
                                                                                                                                                                                                                                        MD5:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                                                                                                                                                        SHA1:76A6BFD488E73630632CC7BD0C9F51D5D0B71B4C
                                                                                                                                                                                                                                        SHA-256:2A0EAD6E9F424CBC26EF8A27C1EED1A3D0E2DF6419E7F5F10AA787377A28D7CF
                                                                                                                                                                                                                                        SHA-512:29C8AE60D195D525650574933BAD59B98CF8438D47F33EDF80BBDF0C79B32D78F0C0FEBE69C9C98C156F52219ECD58D7E5E669AE39D912ABE53638092ED8B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ......o7....`.................................X...O.......L...............0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........K..|v...........................................................0..........s....(......%.-..( ...+..(!...}\.........s....s......o...+o.....=.r...p(.....(....(.....(....o....r?..p(.....(.......,..o ....*.......4..A.3......4.@t.......0..8.......(!...("...(!...(#...($...(!...o%...($...(!...o&.....&..*........44........('...*..{....*..{....*..{....*..{....*..{....*..('.....}......}.......}.......}......}....*......s....*......s....*......s....*......s....*V.('.....}.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2010
                                                                                                                                                                                                                                        Entropy (8bit):5.013965898836397
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrb7O7Rgdp+1/gYoSagFsg+w3Sg+Cag+XgjdgDt:7rne4wCNj
                                                                                                                                                                                                                                        MD5:0B17B3BE9B3A6F6879998D280941DE55
                                                                                                                                                                                                                                        SHA1:EDE825B51EE11AF7C9221DCE596BB969CD068529
                                                                                                                                                                                                                                        SHA-256:1D69336E421C535CECF2E0326BE39B44EEC8EA39754AC8E855D8E0368E0F4619
                                                                                                                                                                                                                                        SHA-512:06D9CC03B8F7295A6E02376159EA96A83CAED4B584769370C0BF365B25D29C883BA5C8359CFEB7316D13C93B49FD37CCA267F6E7931220CED71435E1F4B639C8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                        MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                        SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                        SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                        SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.195903304850222
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:zSvbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hx9:zS8UMW+BV5M+5Nn0kom/RS3
                                                                                                                                                                                                                                        MD5:B969BFF44179BF8A3584EEB9E026CAE1
                                                                                                                                                                                                                                        SHA1:DBA7A528F51870B89AED549E81EF0660F43B2943
                                                                                                                                                                                                                                        SHA-256:5EE05D3796AB12ECF7F2D32D48D41D2A2A3FD257AD8456A0EBD5E6019492ECF1
                                                                                                                                                                                                                                        SHA-512:F0643905258D2C09CA0A6C30A0A9AD5AD2FE184A65B7FFA5B7B731FEE8357672B35246626A10B39DF7C18EF1B75328192495685DDF9CD2F524E913D6A2993E18
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ....................................`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.998418289121845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6iLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7HxlF:/Z0PMcjrgF
                                                                                                                                                                                                                                        MD5:3AB0B86F5D058374AC789F05FB6C6E81
                                                                                                                                                                                                                                        SHA1:4C8142A6EA10F48735429B125ADC278178FA0082
                                                                                                                                                                                                                                        SHA-256:5F773968BD0501D91C4AE1339D248B4F766C39885B35088953AFB1BE6FBCC4E8
                                                                                                                                                                                                                                        SHA-512:1A6CC62361FDD20A99D9551E677269D9D67B6F4B66C09083E07AE5732C23FFE15A5E687437A16A27896A19DECEB9F23D7614B6CC44445C365E3A59DED1AEE6E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ..............................P.....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.6559468525212
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:wXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl55qz:wXh+tYmNyb8E9VF6IYinAM+oCaF5qz
                                                                                                                                                                                                                                        MD5:8E2D0F47E477FAE8132492A31B26F1B3
                                                                                                                                                                                                                                        SHA1:6C3EB7CB1D5E942DC6A62767A701D201E2F69CE1
                                                                                                                                                                                                                                        SHA-256:7C8CD3B61286AAC09534541EDBFF10618938236830167581BD3E922CA55A1456
                                                                                                                                                                                                                                        SHA-512:B40EA70361F5AFCCB3DC41D38A4F302AEE00B9AAC206AD2DFBD1591A7722AF732BC820C3C66EA3BC0816D4C98E364D1345077EDC786ED19135659AC91E0CFC06
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.23943595769723
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Tu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:KF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                                                                                                                                                        MD5:D5B69F2C4F5CB0E7D43D7F6C1C87DC7E
                                                                                                                                                                                                                                        SHA1:98FDA78C049D650E47C17D9072E82D87C1B59E9F
                                                                                                                                                                                                                                        SHA-256:6C1325D183C7CC3E516628921005F18BB5A191B0029AF93DFB022CA4C2ABBAE9
                                                                                                                                                                                                                                        SHA-512:D95C5CD5E9DAC57FA9C5DE8645F637363A5E787A8C521B09BFBEA56D01765F4FC31E4080BDCAD28BBD90FDB9BEE1CAB50E95FF13CFAC728405D87C3EFE3A387B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......w....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.4113040933608225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:TQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAMU:T9ML8LW/usybGYVE8mZw+89Wu1e7Hxav
                                                                                                                                                                                                                                        MD5:94B12931B9032E80157DC27422393FEC
                                                                                                                                                                                                                                        SHA1:2B762FCA27538B55ACF736F7D65E293E5F15EAEA
                                                                                                                                                                                                                                        SHA-256:746AD9902D9310CC2F172736AC156018ECD3843BA58C8337DE017074B06CD645
                                                                                                                                                                                                                                        SHA-512:D943A39FDD74627514818DAF3434BD1ABEB4EE10077E8B10414098DDA2972851795A15CBD4CAD73A67D5171446E4A6D844CDF8BD705E72F34B7DA16678097BE9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ...................................`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.1343664856235245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:5jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvM:5+e55LgIkTmyAAfTnMLvM
                                                                                                                                                                                                                                        MD5:FACA1B5218F8EB76963366A6842E122D
                                                                                                                                                                                                                                        SHA1:41B281ABA7D7FE994EE6C77F7F71042885919EC0
                                                                                                                                                                                                                                        SHA-256:D779F3514666734455B5B2B7AEB035F7E1D7394CD445E332DD4D236E24D5C94E
                                                                                                                                                                                                                                        SHA-512:8F350CB3D0C13A701C67749E103B1E07EE1E2EF8EFE71B70CC728F8E21DC02922BAB241CA256695DAC9B225D450623E9F8DA055EA062E336D7F1CD9D2A3FB6D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1409
                                                                                                                                                                                                                                        Entropy (8bit):4.992215339808616
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dNQjY8L2PRRkMYaWcvJ9AwcPGnJg8vQpyriEWZoEs4h:cb8MRRkMVB9AwVbIQdsoEf
                                                                                                                                                                                                                                        MD5:766E089F9AF0DAD5BFD8B77167D1E0FD
                                                                                                                                                                                                                                        SHA1:0AD55E6BA596EFEB24867DC9FDCE4B3D2F2D904F
                                                                                                                                                                                                                                        SHA-256:1D95ED644BB7D706E5B8EBDCB875B23F8B21C62C53C701EB8B3385F770808D7E
                                                                                                                                                                                                                                        SHA-512:FD8ECF32094577A51579911AC3722D839A7B0874146B909EB8DC944CDB5DA459BFCF7EB64B47EC08F40515E6C38B4C4CBA1F4D9F9EB403E891A8710310DBAECA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd".. autoReload="true".. throwExceptions="false".. internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">.... optional, add some variables.. https://github.com/nlog/NLog/wiki/Configuration-file#variables.. -->.. <variable name="myvar" value="myvalue"/>.... .. See https://github.com/nlog/nlog/wiki/Configuration-file.. for information on customizing logging rules and outputs... -->.. <targets>.... .. add your targets here.. See https://github.com/nlog/NLog/wiki/Targets for possible targets... See https://github.com/nlog/NLog/wiki/Layout-Renderers for the possible layout renderers... -->.... .. Write events to a file with the date in the filename... <target xsi:type="File" na

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071504659955744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQJ:V1n1p9LdRN39aQZUqM
                                                                                                                                                                                                                                        MD5:17A183A03C34B8EC1C91B3DD0B50E022
                                                                                                                                                                                                                                        SHA1:7D226520BE51BD71D05D7EB56793233794F87DA4
                                                                                                                                                                                                                                        SHA-256:381278035C5A8A4668D31B12F0BF3DEC6544E9668FED84DA038A8D21D233D72D
                                                                                                                                                                                                                                        SHA-512:AD5591F6B90A07C00F10EF19231BB3C766E9E27C2205AB3A32C15B7D0DE0F732A5600665E4302290C771F06370B23E4FF0AC63E51C1F36899F98CCB6BD5F8C01
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................;....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960370699367048
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUW:hBA/ZTvQD0XY0AJBSjRlXP36RMGj
                                                                                                                                                                                                                                        MD5:53D8AD0BCDED36C2EEBD4D3C45A60BD7
                                                                                                                                                                                                                                        SHA1:9289840CB0518AF183BB41AB05428A6415B92AAE
                                                                                                                                                                                                                                        SHA-256:07A068EF96EE5F447282B42B1818FDFC372B674893E6742A5F83DDBC4DF13ACD
                                                                                                                                                                                                                                        SHA-512:41B19112B6CCE405E16153354223F4AFF548E9F55EDFDC158588E78D9EAA755E10865D7220B916EC14DAB4181C55C005B161B44AC011419EE85EFF5F65975523
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.11766612253341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:IZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHex:Ogo0WPVTXgk
                                                                                                                                                                                                                                        MD5:D1BA01295CAEFA1F00261AAA943FFDBC
                                                                                                                                                                                                                                        SHA1:54BE9D6F121721542E1B563804766592C9EBF14E
                                                                                                                                                                                                                                        SHA-256:F425945B4D1BD5D65776EE4FF4330F33947692EA5E797EDA3103B6E380196BAF
                                                                                                                                                                                                                                        SHA-512:DFFE1F15F635FD9C083B51C66DBE5C5C9B16516B8CA036B262765279FBF01FC521D10AE31288CA3FB5DAD4F8B6E744DDA33FB8698267C40970DCA9409178E067
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.678784612747097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpx:tuhMaVmzDC67EpYinAMxCJ
                                                                                                                                                                                                                                        MD5:35082EAB5825C9A9D021B5B97BE382B2
                                                                                                                                                                                                                                        SHA1:4716CBD843C8A2A1AA7ED7C95700672E9A863674
                                                                                                                                                                                                                                        SHA-256:B91E3FA4C89230B668EE2DE7D6824DAB708B981F1AE94E734445154BC8A3F6EC
                                                                                                                                                                                                                                        SHA-512:9F0FFB52E060910662AE7AA020AE836119BC609B3E0E9367C7C9D2F2975FC1DDEB1EC1B2F708704C22D666E778B787679BEE5A3CAB5868C09CCB5B57C9026BA2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):97328
                                                                                                                                                                                                                                        Entropy (8bit):6.2419469146373485
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:3NSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxQ:3N3OWMsQ56vd2s+KuYc9RTJa
                                                                                                                                                                                                                                        MD5:9F59EFE4EE7BFF13F5866311048A6A80
                                                                                                                                                                                                                                        SHA1:1F20929EE2BCC0BE40848CC739C6F31CAD13DA69
                                                                                                                                                                                                                                        SHA-256:32FB947BAD722480938922DC363DB76AB0079383C6D732B4998C302B03D87200
                                                                                                                                                                                                                                        SHA-512:CCCAAF2396AD1307AF0B51B424005BFB350508059CD9CF3E9641D396CCA3EC4C22EFB0329DF0AFD0B3888E07559B6904A0361B85A80A527CD3139161CFF91DAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................P.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.17954530016547
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:G3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnO:U0qjCSRE+fw0kG719
                                                                                                                                                                                                                                        MD5:6D055BBD0463057997B216FA41FC1BAA
                                                                                                                                                                                                                                        SHA1:0E3B5685453BFE674252EEFE7B29DDFFE3394F36
                                                                                                                                                                                                                                        SHA-256:94571C1156471E113A0BA58686D0E0F8C8A18B7F5415A17CC00688D6901D6DD6
                                                                                                                                                                                                                                        SHA-512:D3D1FB3588D4AE7279244086069DEF2145FDD341099BD66B801CE1F7EB18F4F68B0043D3CF4BA5C8FA3FA680EF228C3371743AF1E9DCAA64711321EC6A94FCEC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......\.....@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.673983708245621
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Oh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBhKr+:Oy9eEpYinAMxCAcr+
                                                                                                                                                                                                                                        MD5:351EE6E0FBE6951D43F195DBFD34911A
                                                                                                                                                                                                                                        SHA1:2FAAD5BD1D08D9791C941F6F01BA41473C12DD1F
                                                                                                                                                                                                                                        SHA-256:8B4AF4380F5083A9DC11F5E74FEA942A34DE4AA3740EE0DBCEF92A95AFD656F6
                                                                                                                                                                                                                                        SHA-512:00A0600E0E4541058B8FF5A7314E0C2779B5BA5E3F9FBE9F15556E84D84D8B3C0317116B29A832CB038457EF6CE1FA88149C18E7DD33D27A3ADD3AFFAC5FF9D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\dotnet_installation_result.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):108
                                                                                                                                                                                                                                        Entropy (8bit):5.053602438794071
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YszURqDgBH5lJsX+zY+tYjlDR7Iit/aFfbjWYY:YsgR4gBHR1beZN7ltrYY
                                                                                                                                                                                                                                        MD5:802B3B394BA8D759BDFF53381B4A711D
                                                                                                                                                                                                                                        SHA1:4FF73FFBF48E937F5D80709FF46695CB268D5AB1
                                                                                                                                                                                                                                        SHA-256:C02F747A30630C64A23EF2FBD1CC26454116F2F7732ADB95C53E79FCE7E159B7
                                                                                                                                                                                                                                        SHA-512:632EEDE3BF5FC598B1313FD950FD3D2A2F03232C190829766E2FFFB612CFC6D6101005038E1ACECF95A397DC2DB4E481FF356AA3F59141B373D3E231ACD6224A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"IsDotNetInstalled":true,"Version":"Microsoft.NETCore.App 6.0.32","UtcTime":"2024-08-05T20:38:09.0753449Z"}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):755
                                                                                                                                                                                                                                        Entropy (8bit):5.000182215596623
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:1KkzJUB54KCKszy2Zzdlg3pb3ALoRgOX0UW72RMyodFXiWMgbI1R3ALoRgOX0UJ+:okzJzKJsmxQIg4a7ddS1RQIg4s4kZjD
                                                                                                                                                                                                                                        MD5:26BDF6E9AF8B92CB7A6C692EC245090D
                                                                                                                                                                                                                                        SHA1:3BE2D53D2E56A2EBFFCBC9C9EE8BB60E1AB06C96
                                                                                                                                                                                                                                        SHA-256:FC1EF24F3AEA65130F221EC37CEED1EBCA4C0699291B7E403CDB29AF994D7F33
                                                                                                                                                                                                                                        SHA-512:14971BCDD6CCC886BEF2F34F5B2AD2DCB527CDEA72C2C3D7F339BF0070D730BE470B09A8D3D85254E0B9AE2258670AB9D9EB5A5A849A4B7DB530BA7A65FA61D3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-08-05 16:58:01.0668|ERROR|DotNetInstallationArguments|Failed sending report to log analytics. Exception:..System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden)... at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode().. at AgentPackageRuntimeInstaller.Infrastructure.LogAnalytics.<PostData>d__8.MoveNext()..--- End of stack trace from previous location where exception was thrown ---.. at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw().. at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task).. at AgentPackageRuntimeInstaller.Infrastructure.LogAnalytics.ReportDotNetInstallation(InstallDotNetResult installDotNetResult)...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):341730
                                                                                                                                                                                                                                        Entropy (8bit):7.999337452642101
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:NxKFOiTzAX1tvbB7O+N7jdtvgE+EQJdhOmyttoZH6ZizqpPvwrZDGws+lvrOt1sH:rHVtvdO83rP8Kmy01Qi+x4rZstGGmPl
                                                                                                                                                                                                                                        MD5:871A5C66EE690CA69404A447825DA92B
                                                                                                                                                                                                                                        SHA1:598C6A5E1EB369B026DF157BD7E6E5A539AE5357
                                                                                                                                                                                                                                        SHA-256:47D7884AB006354228CD1520767CB282ED89B440FF316EB1C6BFC5F32A58F2AF
                                                                                                                                                                                                                                        SHA-512:077ECD5A92EAC7137B173EE3B85B29D6E069FBF4C2BA14828F2C44407DEE37EE97A23F12631F5484BC750BC6253A4ED8DC8D7D2DC7077AE24CA9E279F5AE631F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......5.X|.. ........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....0........k.......l....H9..=;..z(.../........<36..V/3....U..+...i...&..6-.U....|*SX.....~v::#3-...t.......Ygd.....^..X.....8.N..u..(.{U..'.s.bvSq...0P..!...5..... @h.\S..L.No...J...L.ik.T...T+G.MZ...i.qn.\*.t.../.s.q...A...>..`..5./c.3..;..$..;&B'.....vXS.;E..aX......Y../..26......s(.^.{.C..9.. ..U....EB.G..<.!*8..,..h6.......7........[4.....5.?..f-8.....hE~;..:.N..D...F.P.}.W.0.K;.,.yn.\.0!...1/...<gM....z.C.DIv.....;A..S.^.M.....v.......l0......w/..s......h..K....<E^<b(...... %O.-8..j..=Ym}.....3.*...~.^R...0..].c..J.Kbl)..k.......E<..c.....,Hc....,Q...oDlk.)o..C...E!...(...p.~.).....l>+...r.R..[.9,;..A.2....+.[.......u..+.y......f./o.j....v...=$.....gc.. =.... .n....!.1....VH@.F}K.5h^.g._vel{=...F..8+.i1..l....(.p?..T.m.(J.t..z...A....oC3.S.....K.....6/.6......>6...S.....E..O.Wq)...!:.K.H......W.0....w2/3m.p....R.....\C..<...).&.e..:X.l.. .>&.."....rO....S.P|..B.EM...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71728
                                                                                                                                                                                                                                        Entropy (8bit):5.465784608818167
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:x2IJ53uykm7XveicQcOSy/EJoUvkk9+7HxFp:o2U9+7p
                                                                                                                                                                                                                                        MD5:A86B9D7A0085275F89BBD0878DBDEE3B
                                                                                                                                                                                                                                        SHA1:C197325871B4F730143991F09452D119D62D9844
                                                                                                                                                                                                                                        SHA-256:07AE4F678137BA470E2512D8A1BB4BAE8FB0E50B9C939861A38646E03453E965
                                                                                                                                                                                                                                        SHA-512:24C19DF705B2535A57003E0B364A35EC537803960C92C5AACA31C218B3ED500E4086F7255918D394592DECC6D3C91770072A43D62B62C302D5E041BC3A0A6FE4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ih.f.........."...0.................. ... ....@.. .......................`......^-....`.....................................O.... ..P...............0(...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......hB..X............................................................0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*..(....*.0..r....... ....(......i./.*...............&.........2...%.. ..o.......r9..p(....,.*......s......s..............(u....... ..c.5=.. .0.45... .....k.. .0.4;....8-..... ..J[;...... ..c..[8...... .Hm.5... ...;...... .Hm.;....8...... LX..;...... .....18......rQ..p(....:....8......rs..p(....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXUmn:WBhn
                                                                                                                                                                                                                                        MD5:272B142A06EF6A25E54B983494BC5B7F
                                                                                                                                                                                                                                        SHA1:632DDB4BDEC1D0CD4CA181B35C200590F47F428C
                                                                                                                                                                                                                                        SHA-256:E8D2F94EF9CB27FEA2165096A2EBE87E2D5BE624442A95EB7134C407529048AA
                                                                                                                                                                                                                                        SHA-512:A05B9A4B4308C194EFFEAACB2A1CF5EAFFCD0D5799C5FA9D3D164923D0151466310F0AF4431210D02E4667418D5F6E801D5756330F73FF557F849F1770B7EA5B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=21.7

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.181048054819502
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:mJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7HxwM:mQUm2H5KTfOLgxFJjE50vksVUfPvCx
                                                                                                                                                                                                                                        MD5:619599B698CB7D98CA6EE664083EC192
                                                                                                                                                                                                                                        SHA1:ED098B16D7A5535DB4F3BAE265E3DA073568A9D2
                                                                                                                                                                                                                                        SHA-256:AF5837DAD5E1FE6E990982C199B3A214E52ACCBEB068579DA28BDA2A2FA1DDC0
                                                                                                                                                                                                                                        SHA-512:4E774221C4187502946CE2B6877706D817416C70F392BBAFBCA35509D0316CE546E0E46834D018684489D50269E9AE1421CDE56F72DD80198726433FF53329B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................+.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960740824923357
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:hBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUB:hBjk38WuBcAbwoA/BkjSHXP36RMGE
                                                                                                                                                                                                                                        MD5:1DC2D9D59A68A494B7FD7A4B76C07548
                                                                                                                                                                                                                                        SHA1:88C38261A4C377AF1D613D5EF5EA621EA6266428
                                                                                                                                                                                                                                        SHA-256:48693827CB61669A769C1B98323D4C9E9624896CBD4CC7266CA32E51407F6E8A
                                                                                                                                                                                                                                        SHA-512:FEB3D26098ED8002FE5B0014115730399499E645222AF73F36EC6FA807AB9D0E233A5C2C3C7C32BFE8704B1E718F4507A944CE516A39895834FFA5E6111FE5AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......E.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):86
                                                                                                                                                                                                                                        Entropy (8bit):5.162948441747514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YhKSLJf2B4VXPFi4ecR6lITHJtFHnFSmu12SYqY:Y5fVzi4DR6STJHF412GY
                                                                                                                                                                                                                                        MD5:E76E43572F9A78D1A41705A1CCF764C3
                                                                                                                                                                                                                                        SHA1:4B73CE1471218F016A3B0F8E384A052DECCA46AC
                                                                                                                                                                                                                                        SHA-256:C064AAA555CEF47E09462BC5EC396131469D3483A6551112535AE23FCF18C27A
                                                                                                                                                                                                                                        SHA-512:97E28F1A6832485997AEBCC5AF7B55D3D0C3F6C0ACBFD414BC12D0E0D0E3D5784DD674729F03B7B03EBE1B37D4A3A5A12FA39B9FC673E3E488E834E6B8419A8F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"DownloadedAt":"2024-08-07T15:53:55.9680573-04:00","Hash":"fEkCdzoZBX2gCqMMPS7yZw=="}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):693
                                                                                                                                                                                                                                        Entropy (8bit):4.8282581811379774
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:RYYtE3THVezL6KtrGFkKsUQP6mJB/8LwCQ8Lcs3Q8LiMQ8Lci9b3eNRy5TaAq2:d23THs2Ktr4DsVV8cCQ8A/8GMQ8Ai9bx
                                                                                                                                                                                                                                        MD5:B5A5D3A94E9D30D3D2323D20D5FB89FE
                                                                                                                                                                                                                                        SHA1:35809AF646A3DC75EBA2785335755C1214E04261
                                                                                                                                                                                                                                        SHA-256:672EB3F23C5A36A4F9473360B4D027C5820ECFF5BFEB0D5900842900F9AA73F3
                                                                                                                                                                                                                                        SHA-512:CE98D7C6FA66F007860ADD76F44D4EC757F08C6B99CD7847083644D7052A578A2B6D05C27CA82E3DC27747A6BECCE3119A345CCF8E36ED37D5FE160EE0461999
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..08/08/2024 00:48:25 RestartServiceIfNeded failed..Exception: System.InvalidOperationException: Service SplashtopRemoteService was not found on computer '.'. ---> System.ComponentModel.Win32Exception: The specified service does not exist as an installed service.. --- End of inner exception stack trace ---.. at System.ServiceProcess.ServiceController.GenerateNames().. at System.ServiceProcess.ServiceController.get_ServiceName().. at System.ServiceProcess.ServiceController.GenerateStatus().. at System.ServiceProcess.ServiceController.get_Status().. at AgentPackageSTRemote.SplashTopAppInteraction.RestartServiceIfNeeded(String accountId, String agentId, String alphaControlIp)

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):637958
                                                                                                                                                                                                                                        Entropy (8bit):7.999354686674398
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:HVd5b8dhfpvZ3U9ygocoFAdF4r0el92pBW/wFIlzxDFBLXJ:HFbyhfVsySoKdF6D2pswmlpXd
                                                                                                                                                                                                                                        MD5:767D5DD4AD2D6A3E0FF3E45DB47A9657
                                                                                                                                                                                                                                        SHA1:982A2AF2C94AE33CFB240A30A1C6433E5E5689DF
                                                                                                                                                                                                                                        SHA-256:156218F309CAF003096CB28C2FFCD74A0989E4FD0207E485A3292A4D8D1C48ED
                                                                                                                                                                                                                                        SHA-512:E8104B3622BF07059131F3F0A8DC9EA44C7B0E32213F534AEAE229F000B01425B72955197DC776F1B5750FAE2BEAAE888A2EA1D62B1630D3FC5D79B4C57317D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......5.X..j.........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....0........j.........)+{rh....k_....z.OZ..@bN...#....<...-...H\.\...>.w. .%.3@..x.......L].HQ..<b.. u k..<..;Q.Cc..~...D...f.."Ma.....1&6...Q...&.o.X...r..1.E.I.:.N.g>_.d1.v....a.Q%..vr.d.q.&....w.6.|......h.'o.f.9GV.g .ac.u.Y.o.......sw......*/`.._h....v...0....C.z.."vU@..m.....i...,....-.x....N.,.36`.#k/h......=.`...H...]....&.....6F....wNH.......W,.[?.<;n..J.i....xX...~(..kqV:Z.k.U.$U...h.v..".....Vx....F.[z.....j.._8.M^).E0.D.........B .\0H..v..p.-9..'...Y...=.[....ja{`..*&......9:....C.....sz+|..JQ.../....D?./y..`)T.%.......<nc..w#.......7t.#...A...>t....@..!A45Y2....Y.......38..c..sR......E...7....\.....I..M.....V..IXG=.a..}..H...r..eF......>.{.FFM.A.bm.!b......-.....Wk..z..P..An...D.M]RN...I.).h....].AU\.6d..u.;-..7....g.*....M..[.?..%....d..wZm0#...=......d".Eu......5.>.....$..b..n..V{...a..$..l..|....~:.s....H."....K.lK.y.|..ga.0f.C.."AQCu_.......?N....K..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51248
                                                                                                                                                                                                                                        Entropy (8bit):6.297269575035048
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:MNb66jeKAdzF2a11sxKN/NEQDg8vM2j7HxqW:MQ6jeKAd5b1S2/NPBU2jR
                                                                                                                                                                                                                                        MD5:26E9CCE4BD85A1FCACBF03A8C3F3DDCA
                                                                                                                                                                                                                                        SHA1:3F78C454CC72D4C5B2A0F295530391904EC87948
                                                                                                                                                                                                                                        SHA-256:50F399A3867DEAB18530F8F3E72D489A15F62D6E250F4F795C7BB735F9522899
                                                                                                                                                                                                                                        SHA-512:D57C6A799C01A3F67AFB3DDEDDDBD49ECFC17C2347BEC24ED85207A846547F6288D2023961EDCAB67DFC512E0B1DA187C475A7D01BB1005A61D337EC4FEA0FE0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f.........."...0.............~.... ........@.. ....................................`.................................,...O.......`...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................`.......H.......pB...p...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):973
                                                                                                                                                                                                                                        Entropy (8bit):5.01886272205883
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsVPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3s77O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:3CCA9B00717A374829CA50C82C1E70CF
                                                                                                                                                                                                                                        SHA1:357729D1CBFA36318D8A91BDC8C039E254A7CAA2
                                                                                                                                                                                                                                        SHA-256:4161C6070CDBCB94718A6E76931AE38CABEBB70E5B00C55E799E72E61F0ECAEC
                                                                                                                                                                                                                                        SHA-512:C172CF13115FC724799C50218F00A1055FA84DEC6B9FA28F7C981DE94D4DE64CDC7797E903D4E8B87CA2FAC535B62EB395E372656183C75F42E7086598C3C435
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXTLd:WBTp
                                                                                                                                                                                                                                        MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                                                                                                                                                        SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                                                                                                                                                        SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                                                                                                                                                        SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=26.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190977882973481
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:VPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxo:V2bYbYSWd85I5sSakFQhHL8i
                                                                                                                                                                                                                                        MD5:6C0E7E9151E242E401EEBBC13558E3F5
                                                                                                                                                                                                                                        SHA1:9A5963712AD9E0F336A4749E7C258A67EF6260FA
                                                                                                                                                                                                                                        SHA-256:77D6B8CB94B6CF5B399704C3CD5877211D99FCCA58F94D120998FC41185D0E0F
                                                                                                                                                                                                                                        SHA-512:02E5E5FA52BDA5CFF5181196C6A62913FA87D6675CBA27FBFF3D0C50F305BA4CF8D9D8C4016EDC90AB1513BA39D89B50566BFF4D05585583EF03B8AA17BEA793
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16432
                                                                                                                                                                                                                                        Entropy (8bit):6.857474166817892
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w9c52LPirPW94/DNyb8E9VF6IYinAM+oCOX3lq:w9cym2KEpYinAMxCg3c
                                                                                                                                                                                                                                        MD5:E1AA9E74F8E36783187BA548C26A1D95
                                                                                                                                                                                                                                        SHA1:52FD9D58877986DCDDBDC5C1DAC6825C5720A4F1
                                                                                                                                                                                                                                        SHA-256:CE46D831129B265740E521A614DE1F2BEE211F350FFC9643407C75308E1DBE06
                                                                                                                                                                                                                                        SHA-512:B2D79FD01D4D0BC3CCFFCD62ADD4BC45BB25561892CD23299163EDA10896249F53FD966015B7655C209B33EE413C10565D51861298061E3886B43E77E59ABDB2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............-... ...@....@.. ....................................`..................................,..O....@..................0(...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542
                                                                                                                                                                                                                                        Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                        SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                        SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                        SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.134467211026903
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:WjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvH:W+e55LgIkTmyAAfTnMLvH
                                                                                                                                                                                                                                        MD5:6C03B5CEC0E3BFF6410B020CAC7EC662
                                                                                                                                                                                                                                        SHA1:DE5C6B33A97BBF0B3063CF44DACE307FEB968BF6
                                                                                                                                                                                                                                        SHA-256:05C2739F2AFA9A05514CD75C12BE6C0CD73A8356A28B3FAF84140FEEE416F339
                                                                                                                                                                                                                                        SHA-512:06900ACBA446F813E8181E42A0713B5BBD568068960DD0620C4EDF0F3C096E4C8B409181AC8FC51A24F638E37F908B6212E22DB3799107B51578B6853A8E60C0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......u.....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960755198774021
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:eBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUj:eBjk38WuBcAbwoA/BkjSHXP36RMGi
                                                                                                                                                                                                                                        MD5:FA365D16F9EB02769CE0ACF75C31C832
                                                                                                                                                                                                                                        SHA1:F83D3F502E92DAD01574D16FDE5E7CA81C53A5DB
                                                                                                                                                                                                                                        SHA-256:63A690F6523922CB55B065764ABA61BE69F11AA93C8437C01485BCC4AC182F46
                                                                                                                                                                                                                                        SHA-512:E26E077C0C5806B3D4E1ABBB06087D08921CF6A46FA700343AA373213180BF9EABD7822CE418E24973909A515BA5B73DD0902402020E5A4AC56D387E378C4AD8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......n.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18480
                                                                                                                                                                                                                                        Entropy (8bit):6.708180254980656
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1qPstMu7M72kNyb8E9VF6IYinAM+oCiSFDKJup:1vMuo7/EpYinAMxCbeup
                                                                                                                                                                                                                                        MD5:C9A5D57AF074418532A591B4443AD16F
                                                                                                                                                                                                                                        SHA1:4F99922845AF05C64B36BC71FD34468683B389D6
                                                                                                                                                                                                                                        SHA-256:322D41E1890A28359ED05AC7C3973C2CA3532CB77F8D0646B982A76FE0A68EE0
                                                                                                                                                                                                                                        SHA-512:461CCFF9F349E6F8BE27F50C54464CA65AEC23DF6C4DEFB5A4AB085F8239899CE88B2C0B2764020807826C92BB2F757DCF39733721595E80C2AAA5A75718D9B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............4... ...@....@.. ..............................8/....`.................................d4..O....@............... ..0(...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):500
                                                                                                                                                                                                                                        Entropy (8bit):5.044946190927216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VOD9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsHPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:5EF8C402347FEC5555700DB9D649C349
                                                                                                                                                                                                                                        SHA1:2E70D02943060011AF38D9200B3461206F56933D
                                                                                                                                                                                                                                        SHA-256:718459DA91EB82BD0ED8AD24CC3EABFCA61D1B5C1D9060111F85CC7D84BADCCA
                                                                                                                                                                                                                                        SHA-512:F2650D2C604459E674810BDA95C37D3FE7747CF67B5736C4275DA91576B36F3FF882FD3F8A5F0591CDF335E935DB716BE827821333297F719C26B1152BCB4D6F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.676917265704932
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpodH3T:tuhMaVmzDC67EpYinAMxCWH3T
                                                                                                                                                                                                                                        MD5:F2016790A63364276B5DE090FF0D9516
                                                                                                                                                                                                                                        SHA1:C99BDCCD05A8813E6DEECCDFA0FD675FDC57A488
                                                                                                                                                                                                                                        SHA-256:662DC69A05611BEA25F993F4D249C83340C2F468E9564CA625027A1EA9C84E9A
                                                                                                                                                                                                                                        SHA-512:41CBB8D586AEACC6E9C156561A4C92EF30C3D50B8D4A91C2A0A41E186891C61776E102AC5DEB95A854C2241734A854320B49A0E0A05F20ECBCDB8A0F7E55980E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................\....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64048
                                                                                                                                                                                                                                        Entropy (8bit):6.268502105017609
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:BYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1JEpYinAMxC7z1:BKC9niwOepJ6TJPeb6NIUy7HxUz1
                                                                                                                                                                                                                                        MD5:9B1EA8A460CDBE957FD464E52CB74F9C
                                                                                                                                                                                                                                        SHA1:34574DE2F45BDA8A68F49C031A80476D6E6B711F
                                                                                                                                                                                                                                        SHA-256:41046ADC0E23A6A673C6DDD890C4B43F21A615D470886D59FC436B09B994E7A8
                                                                                                                                                                                                                                        SHA-512:A99E6C7829C4B6994E8AFDB4538DD8954DCFF96F2C59D62FFC91DA2E833F777F870A2F55A60CADBBED97ABA0F6411D6D40DE33D295491B2AEB45CDC51D485003
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@......*.....`.................................k...O....... ...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.17978189203311
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:2P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlU:2h0qjC5RMOHO420kN1P
                                                                                                                                                                                                                                        MD5:8D61BFC6E305850F082B2A4FAED267B8
                                                                                                                                                                                                                                        SHA1:543224920E68C0C7B28C9411ECE8B9F8EAFA7DE3
                                                                                                                                                                                                                                        SHA-256:B7EF8E721E39ACE9C8C4B4C4490AE5042634637D24DB4A70AF33D29DC4EC5C10
                                                                                                                                                                                                                                        SHA-512:6AA0C22B6CBD1942AD74386919D8E4F0F69FF47FC97103BDAD3FE029E9137C51DAC70CDB84275AE779965E461BC992DE96028B92A3DB8F0D26B8B53A547CA09E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......t.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.63676850357766
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:7TO9dQWXYW8aVNyb8E9VF6IYinAM+oCJF08IoP:7Cn6CEpYinAMxCk8jP
                                                                                                                                                                                                                                        MD5:F6E07CB084C3B287E2D2525A597A4D0C
                                                                                                                                                                                                                                        SHA1:E9191698963EA0613747BC24842DF8C37E6FBE84
                                                                                                                                                                                                                                        SHA-256:D24366C19E9DFE77B7EA94546F336F20CF8F574F838F68EBB2179C6CBFE4F25A
                                                                                                                                                                                                                                        SHA-512:5AC38F55D0045BFDB9951154E87ED30E98B200C148897E7BD3C19BEFDA634437A1EC5AA2088CE99F0E17644069EEA93E97AE1DA00DB5746C4784228FE35E1725
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3206639
                                                                                                                                                                                                                                        Entropy (8bit):7.999884245147606
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:Oow5J5gnvVKNRoUjRWoRoIF38GcLJd9dA2SZa44yHjC+JDSmmYXJmzIWiLQ0q1Q9:OoY5MvVKNwoFRWd9dAGeZmY0xCUmAAf
                                                                                                                                                                                                                                        MD5:5FAC57935A802E5924B6CCED75F79013
                                                                                                                                                                                                                                        SHA1:776CA3CBFB2017227FE14FC1075496531E4634E0
                                                                                                                                                                                                                                        SHA-256:576E253D8713A908ECCD504A3185499F49EFFE54FA65C73FF9A8FE6D013084DC
                                                                                                                                                                                                                                        SHA-512:223522098CC4A7EF518D7673C598F659352E0F1CA20ED6909405B11A032B97497152E16E659B0D351196B1073B35BC87F6445A4283C377B2EAF9ABD7FF4AC23E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......C.XC.........../...AgentPackageTicketing/AgentPackageTicketing.exe....0........H.......H).X.WLt.cP..Z...qD.....6s.>...5:.......Z4aWa..{V&..z..f..>0YP3...\..x**.`b7...0.h.h.k..T.-H.p...J'LW.B.c...S.v+.....gL.."..Z..m!.&arS...8.....|.r...[5.&......R#...m.R...2Gtq.r..Q..j.@O$~|>...x4.2.;8r*V..O...X8.[0XN..N.0D...y.6.-./.~.....;&a.........?r^.+2)..R9...7.;s...mP...R...m...4.....I.ei.S.$MD..N,z.Y0...fn..0.<o.o./<..L....~H=..>Q...6.......M&.I.....n....Gb...0.48.......g.V.......3.....D....+.al..}.a}...!.j`=e#l.....4.^..g..{..j~..T..yRt.d...z.|; ..'kGb..5.u..{X...>7=.w..D:...:..K......U.&L..m .K..>2...k...Z....6.7..D.....]}.w.).@.... . ..M.M...Em.A.>\....Ejx..9.o......c.VSLfo.....Q.x..i...U.{.....]V..zO.h..A.s..' ..x..'.F........b....6R"Om.!/..Ns....(..rX;.Yh..'..Hs.)..V.....9&.5..Y].].. G..o.......w...e."..N.....)-5...5~...U(s.E...!.K......I,FS......I.3....6....1...m.c9T(L...U^Q..O.u...3.8dS.....oM.......+-.^..'.Eta1..Y................F.....M..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33328
                                                                                                                                                                                                                                        Entropy (8bit):6.284299649172216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:77MUZhpWikfoGh5yd1pjJpO6LRjBMlY/KJNyb8E9VF6IYinAM+oCnsjMTVVV:MUZzF++V1NByY/KNEpYinAMxCsAN
                                                                                                                                                                                                                                        MD5:B0E08EBA67B6AAB9E4CD11E3CC0D9988
                                                                                                                                                                                                                                        SHA1:064C7714872283E6FEF3484AD0FE8992C7C768BA
                                                                                                                                                                                                                                        SHA-256:B5B04685C709CF9E36564901410E03BE50721C3A5EAAF23A6EBAA0769D053B03
                                                                                                                                                                                                                                        SHA-512:839851904A2BE4F744518F62D1382DFA6CF48F728FB72BF0B115CFF907FB015FF6DE38FAA17EDD40BB94AA2E05F8DDA2060F7884FB46FAF367521D6DA4A88C67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.f.........."...0..N..........Jl... ........@.. ....................................`..................................k..O.......4............Z..0(...........j............................................... ............... ..H............text...PL... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................,l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..t.......(.....(%...(....,.*(....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1062
                                                                                                                                                                                                                                        Entropy (8bit):5.04288182607063
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:3sIk7O7RgdjdgFSagFw
                                                                                                                                                                                                                                        MD5:D82D26318224097C2B13F43E879DA855
                                                                                                                                                                                                                                        SHA1:4626369E38B4505371D1376FB9A50B401B21A7E3
                                                                                                                                                                                                                                        SHA-256:1BE14A97E8F1FFC962C060B76FFAC47298D02680F235097CABF378EDB3EA34D6
                                                                                                                                                                                                                                        SHA-512:5E3B09D12E5FEFB6B82DB7E19A3D856D02C683B211F18CEBABC0A6FBEA9B3E84BCFAF414C7DF043F986F78A85DB8A22D4584DCAEBE59CDC0A527D7636B31886A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSon:WBRn
                                                                                                                                                                                                                                        MD5:4D85725A2F8806375A69DACAADE654D3
                                                                                                                                                                                                                                        SHA1:C7E456274F787B545243539F2F983B54F4975BE2
                                                                                                                                                                                                                                        SHA-256:53C3D04D99D2AC65B205237B62D61B6EDA2B19F32FAE5FCF794B0995E829336C
                                                                                                                                                                                                                                        SHA-512:18FC9D2FBBC646F364D75911B84D66586105728FA0C2EF9E79F47A0CAB09952286C355451AFE1375DB6AB7E4814B6CAE2D844E73F7F58DFE7E24EBFE5222C3EC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.9

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99376
                                                                                                                                                                                                                                        Entropy (8bit):6.189270306890288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:1lAttsLnppOphwrfNIkZP0kLv+ghDBzmItlVYlkL5ihaO40QhflQCxhB7Hxc:1oESpOPptPkW5ihaOdQhfhBW
                                                                                                                                                                                                                                        MD5:E78076BFC4132527A53D595D5FDF393F
                                                                                                                                                                                                                                        SHA1:D6D18E2CB66964A91BDEE573E7B1B51819D6482C
                                                                                                                                                                                                                                        SHA-256:3DBCDA618E10188A870BDD6BC40DF0C77343E9F08C3C37294502D1928DD859BD
                                                                                                                                                                                                                                        SHA-512:A5CC318893A7A39562DD582DE78991A59BE1EB095B55B4C9B501828F80CC59452E278431D89D8664414493E9E2488002CC5FD48A35E278345FD1243DD7E4CA72
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}KMe.........." ..0..R...........q... ........... ..............................O|....`.................................<q..O.......D............\..0(...........p............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...D............T..............@..@.reloc...............Z..............@..B................pq......H........o...............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145456
                                                                                                                                                                                                                                        Entropy (8bit):6.2039015654237115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:QRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhf:E9XeDmzV2yzlhKLFU1lLVp1+2flYFsyt
                                                                                                                                                                                                                                        MD5:BB6CAD96D2B79192E0457E397B487228
                                                                                                                                                                                                                                        SHA1:CC3EE8403BD2E2E030D58F4CF0544A2896EEDB82
                                                                                                                                                                                                                                        SHA-256:E9901A92E73DB1EECF599755C757ABF8F8C986F267248E5EE810A4516CF29460
                                                                                                                                                                                                                                        SHA-512:5FEDA73B225DD6D4500E2917817B16C397F09F83AE4591DBA16228F3A6F417CDB3479AFC0D08C27FD4D02AE6A0C96D75B694E685ADF026E97751CD5BD44170A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ....................................`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29232
                                                                                                                                                                                                                                        Entropy (8bit):6.674133418263454
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9mYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF61Nyb8E9VF6s:fSJh5tIYQzT5zyF6REpYinAMxCNA
                                                                                                                                                                                                                                        MD5:136148BC7073584591B2F0D9167FE087
                                                                                                                                                                                                                                        SHA1:699C1F47D17121F1E469C6916EEF39CDF741B147
                                                                                                                                                                                                                                        SHA-256:214B7B634A04D5FB9BF3E4E7E4EFE34732C5E108E4AABC59EF54D5BCD1A16ED5
                                                                                                                                                                                                                                        SHA-512:24539D34986E3957984ECCF3FEE79591BCBD0C11A95117B95E265FFD1C87D420578C885591D1B9B91D749DF155B8B20226DBD82A7106C9A70E199C203C1E8495
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ...............................|....@..................................`..S....................J..0(........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219184
                                                                                                                                                                                                                                        Entropy (8bit):6.063177879478984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:sYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhl0:sYqqbe2CSod5dtM8ww7Po
                                                                                                                                                                                                                                        MD5:C4D5C80C67148458DAAD0245E4712543
                                                                                                                                                                                                                                        SHA1:E43FC3490BF719C71381C0D0D4BBEDB227565191
                                                                                                                                                                                                                                        SHA-256:65E55AFDECA9A641637FF7F3FD263E0F92522DFD512D449AF3862951386DC989
                                                                                                                                                                                                                                        SHA-512:7EA7085F76A6D8E960A7B07053568F8A006CF3F032BF88FF565C5D96B5A6CD30BD37307F26C932C4A75E80565DFAFEFFE2C1B44EC22163F1511BBC1A3FB9BE84
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ..............................?0....@.................................dF..W....`...............0..0(........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):319536
                                                                                                                                                                                                                                        Entropy (8bit):7.0489882734368905
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:ocvArKVm5mx115y505H0jIfJMSFk9X0jIfJMSFk9c:GrzwJMykwwJMykc
                                                                                                                                                                                                                                        MD5:C591BC266A18C7E0896BC67070E82A14
                                                                                                                                                                                                                                        SHA1:12749511C4CCDBB4075882D27CA458E3F6CC1DEC
                                                                                                                                                                                                                                        SHA-256:DDC0B2B904EB6E280A7B6E211D4A514FAF302C22E2F138A551C8F82B43CC231D
                                                                                                                                                                                                                                        SHA-512:D39F69E72AB37AD355298B03472C0EA6577F72BC97C421AF92A2569FA9EE77E557B8255DAD6B81334CF7586D793983CA443599B77A57CA46A01DC8E4A6059EDE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-..........." ..0.................. ........... ....................... ............`.....................................O.......................0(..........$...8............................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Tc..................P...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.sA...s....%.o ...%.o!...(8...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..w...(*.....w.....(+......&...*.*..........//..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432
                                                                                                                                                                                                                                        Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                        SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                        SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                        SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030712364489919
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Ed1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s3:EMIzm6pOIgvr7q
                                                                                                                                                                                                                                        MD5:B6C261279E35A4EC920473DE03D60412
                                                                                                                                                                                                                                        SHA1:850C9325D7D10E4700B643E31F260B42B8626111
                                                                                                                                                                                                                                        SHA-256:3BA8D4A359693715E5187BE3057FE193FD9046AB75134FC56C16C1FD6D990D29
                                                                                                                                                                                                                                        SHA-512:1D2F6FB581790FE6E1925DB749ECBE556C2243093D81899248C78A13C4D3947D59E35508486B51E1B2474690C44A65A33B8AA247CE5536891E5C0FAC2DB64BC0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ...............................N....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398896
                                                                                                                                                                                                                                        Entropy (8bit):6.134294394466507
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:LjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvi:L+e55LgIkTmyAAfTnMLvi
                                                                                                                                                                                                                                        MD5:47D5816099AD49878CE2B655D1B9C9DF
                                                                                                                                                                                                                                        SHA1:659748A485051BC52E9D5D1D4CF99411DAB7D2CB
                                                                                                                                                                                                                                        SHA-256:ACD76EFF9F9B88957AE2D18FCC5B3B73F0DF89E91E7ACFD5897F996598C2E0DA
                                                                                                                                                                                                                                        SHA-512:3C7DD943400F859E9962DCB30352DCFCB4542C895E1C2BEB0D6A79921D737981C28A55A6DCC98D524AC2175B55D24E79A2A5B68DBB8A859EEC05D083506241CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960859492666102
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:dBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUm:dBjk38WuBcAbwoA/BkjSHXP36RMGr
                                                                                                                                                                                                                                        MD5:8050D3052D86AD11EB7D413E54B4FB83
                                                                                                                                                                                                                                        SHA1:265B4C2B109139CC1C957F211454855808B8657A
                                                                                                                                                                                                                                        SHA-256:0EA156202E551D5E0A346ACC75087930943696ACF9094379A024E795BC5C008C
                                                                                                                                                                                                                                        SHA-512:D332937D85A860C97F59D1B32BD3940AEDB9508F0FF9637F1D66A01CFAA77852F69A9D1A734AD9CFAE57C8CC744AD7C8EBCAF0D4778142512FEE9B0E8969466B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):154672
                                                                                                                                                                                                                                        Entropy (8bit):5.991185919362003
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:A4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otckj:A4wZywKn/U5xEwKIk0Wn
                                                                                                                                                                                                                                        MD5:52348921ABEBF830E700999998A6F206
                                                                                                                                                                                                                                        SHA1:E92BF0C94E16748BE14A890FA2D275A80BA0E263
                                                                                                                                                                                                                                        SHA-256:866268E0378E7DF84E3A333F7A9BA1E11C2A419A84F17626F421414DF07B13DC
                                                                                                                                                                                                                                        SHA-512:79D45D4A452D7E890F15AD8910B2BF893A95B6005B09E004AF0C31494641E9629D891A2EF8D635C0CEA0F1ED93DF57A1FB5659D4879A1C530E3E791552F93F11
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ..............................x.....@..................................%..O....`...............4..0(...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.672110215065152
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAE+:KrMcXP6gEpYinAMxCK
                                                                                                                                                                                                                                        MD5:0442CA8E942D8B766DAAEAC8014A02E7
                                                                                                                                                                                                                                        SHA1:6D08C35DADB0C438D2E5833BA6EAA177A4FE298B
                                                                                                                                                                                                                                        SHA-256:48F63E17D05DAAFED8458995FDD7A8581D6587A1D8D93FA04D0D39FC93174563
                                                                                                                                                                                                                                        SHA-512:B277D59ADEE4BF0A7DAFF9021DD6D66DF790969BAF3DDB40CC12073082011E79C9D0821B75E8397FDC083C0F6F28B7C556053A48D366782BA3CDC921C8681F4B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):420400
                                                                                                                                                                                                                                        Entropy (8bit):6.109588205722666
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:95douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFi:9pjblhW1C
                                                                                                                                                                                                                                        MD5:5B6872A7699B7EFBF581FFE8A3C62DC0
                                                                                                                                                                                                                                        SHA1:62098EA3AD8D78AB774112F730DA4CD99B0E995D
                                                                                                                                                                                                                                        SHA-256:D21C26667F92B7E336CEA05B433EA7B36E38AD25C00ED70F0FF7D2F5A3BC094D
                                                                                                                                                                                                                                        SHA-512:FB1D71D35A2A0218E850BCF77636F3CB646248E056D18F643D59CADF54E20C44BD3296A520DC56F463E4A7F08F29061CFCE229EFBCE253A26C5537AB567D84A4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ....................................`..................................T..O....`..p............B..0(..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142384
                                                                                                                                                                                                                                        Entropy (8bit):6.161386138446645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:+UGrszKKLBFa9DvrJGeesIf3afNs2AldfIQw:JBFd3/aFs2F
                                                                                                                                                                                                                                        MD5:E5BBE2EC664C81A0AFB7404F95959717
                                                                                                                                                                                                                                        SHA1:944B9B82457ADB652BEF4D516393E70845E6DBE9
                                                                                                                                                                                                                                        SHA-256:53494A667DA154CE4F00A176F9D4DBF34C24219241DC8CBBF1EBE3A5AC0B0DA7
                                                                                                                                                                                                                                        SHA-512:E643AA8C15F99B4DAC7782B4EEA15C3A9BFB179F9D6E0ADED7F999F4FC4D495F6A7B0A4CDB5B462E4A60E122CEBC3286B9A533D693C495A37BBE84A4CA4737DE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......l.....@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110128
                                                                                                                                                                                                                                        Entropy (8bit):5.5115380056194665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:qPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7Hx7:qWw0SUUKBM8aOUiiGw7qa9tK/iR
                                                                                                                                                                                                                                        MD5:72767F14726F1045A522DCFDB72DFB13
                                                                                                                                                                                                                                        SHA1:8D8F878AD6FD9D98CD3E7CC59B0896553A90FA47
                                                                                                                                                                                                                                        SHA-256:A457917B4A6AB01243957CA4AD24C72798E49B496FD42B6ED75F7AB6AA292E0E
                                                                                                                                                                                                                                        SHA-512:AF7C0D246E7B1541B5B79D04BD433E2775F95E160C453E662DF8EAEF7698413D96FA55FDBAE3A1E263F2821503637088EB17DC4B2AAC8166A405945ABD44776E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ...................................@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.674100789852014
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Hh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBY6:Hy9eEpYinAMxCA7
                                                                                                                                                                                                                                        MD5:BDF1852A03720021CA58E98C5D7FEF70
                                                                                                                                                                                                                                        SHA1:323A8FA28B83065E797A68B0705BE6EE51ADB0D2
                                                                                                                                                                                                                                        SHA-256:979090AE2923D45FBDD51B57B4C861140A5BD61CB9FE2D9AE03CEDDA9E8A62F6
                                                                                                                                                                                                                                        SHA-512:AF280A23D74E43EA67FEB52CD83F1DD776BC6004C4CF8D53CC67BBF98751E309895FE53553F8196E8DC9A93F84C40348BD7E5CA6FA4F5D9F429A184EA35B30F6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19504
                                                                                                                                                                                                                                        Entropy (8bit):6.522690976795831
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:oyPa16oAL4D+wW9IWmDIW4IWYDcNyb8E9VF6IYinAM+oCFZkz+U:oWs6oqDjADKeD8EpYinAMxCYp
                                                                                                                                                                                                                                        MD5:3A7AA039FABEB4F6386AF98BACEC0232
                                                                                                                                                                                                                                        SHA1:6F5834497D52EBD14F9A857C5FA46879DE8E6AF2
                                                                                                                                                                                                                                        SHA-256:748784FA9FC1B2163559C407E57A83A0ABF1ED18A06C1209BF81E36E3DCDC557
                                                                                                                                                                                                                                        SHA-512:F3B2EC192020C171D376C7DAC14C5A105E70384C49940986105A9627793277B6724A59ECE9E77DCA0FF8CD5BF3D3780C557F51211B3D57ED0B272AD761D32FDE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ....................................@..................................2..O....@...............$..0(...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42544
                                                                                                                                                                                                                                        Entropy (8bit):6.380524097436915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:T9CYs62PirM9Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3UpoztjOqNyb8E9VF6IYinO:T9rM94GX7nwOa5VS2ozdOqEpYinAMxCb
                                                                                                                                                                                                                                        MD5:0A47D3DEC633844E1DEABF0DF78E087A
                                                                                                                                                                                                                                        SHA1:C7C1AFC4B57BA915F63B74207D097FE57AE1B3A2
                                                                                                                                                                                                                                        SHA-256:DFCF6C95FFA5C8A87C5D1920C670395003B15F6458263D593AD68E4CBE1A2B27
                                                                                                                                                                                                                                        SHA-512:F628B02D5E735C080F7E2D4C0B7867CC338F2994AF3652CBA18349F84A5BB043EEAD2113A5F859AE0EF97F5CE8120A9C27E4AF1DC663E9BB609E51BFC7796911
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.f.........."...0..r..........&.... ........@.. ...............................#....`....................................O....................~..0(........................................................... ............... ..H............text...,p... ...r.................. ..`.rsrc................t..............@..@.reloc...............|..............@..B........................H........"..............\4..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,..(....*(....*....0..I.......s....s....%.o....%s ...%rm..pr...p...(....(!...o"...o#...($...o%.....&..*...........EE........r...po&...,'..o'......r...po(...,....o)....Yo*......*..0..........(+...o,...r...p(-...(......,...%.. .o/......i./..|s0......-...(.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):68656
                                                                                                                                                                                                                                        Entropy (8bit):6.105195641021154
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:wkwOyj5zzqIsN5PZPeW2UVf5WCmsxMVmD1SM1A6DRFsdDnWqYOpgEWEpYinAMxCR:JwO+zmzhr/WMIM1RDRF8DWqYuX7Hx3q
                                                                                                                                                                                                                                        MD5:786E884FB7DF208F85F19BDAD13DF6E1
                                                                                                                                                                                                                                        SHA1:F64A173A7C30D64C7283039D120F09B24EE6511F
                                                                                                                                                                                                                                        SHA-256:84484EF97BFB07F8F7CB7206FAC69DC906F2FD249CC0475369CE62BE81845E9A
                                                                                                                                                                                                                                        SHA-512:B0B7A5FEA35DCDDD2744F11EA42038F12B70E5B71DAAA2FA40E1DE335C19442000D96794020296ED65DDF49E92CF1DAA739994458668C8BEDB6B264561C04632
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.o..........." ..0.............v.... ........... .......................@.......4....`.................................!...O.......................0(... ......l...8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................U.......H.......@T..,............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o......s...........s....%......io ...o!.....o"...(#.........,...o$......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......(%.........s......[o......s....%.o........o&.......s'..........s.......i.f...........io(.....(.........o).........,...o$......*.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                        MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                        SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                        SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                        SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):349232
                                                                                                                                                                                                                                        Entropy (8bit):2.891103574883147
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bwhVuqSb/jb5BEH8VAynnnnnnnnnnnnnnnDn+0:bN5x
                                                                                                                                                                                                                                        MD5:1905B32BD7DBD65D51E066D70ED8B6A3
                                                                                                                                                                                                                                        SHA1:1BC95603F4244BBD027C8181B2B968FBD4D32364
                                                                                                                                                                                                                                        SHA-256:2C7295B8F9741EA3AC6875460CEC8DD73E8AF43DCC1B8275F2C85BEDBD0E2F51
                                                                                                                                                                                                                                        SHA-512:1C9F63A85EECFFC3D26A21A1AB57D72D1E352D51EC20F9F573921FD972913F14B36968C8B087A5A8D87C15500F12E51767217D78802E9B603C787CB46E80F974
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.f.........."...0......d........... ........@.. ..............................M;....`.....................................O........a...........,..0(..........P................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............*..............@..B........................H........(..H"...........J..`............................................0..).........,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.........(....,.(....+*(.........(......,..(.... ....(....+.....s.........(.... ....`(......&..(....,.....(.....(....(...........s....(....(....%(....( ...s!........~....("....>..rA..p(....(#...($...rU..p(%...re..p.%-.&.+.o&...('...((.....*..........................>....Js)...%rq..p.o*...*..0..w.......(+...%-.&.+.(...+%-.&.+$~....%-.&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):349232
                                                                                                                                                                                                                                        Entropy (8bit):2.891103574883147
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bwhVuqSb/jb5BEH8VAynnnnnnnnnnnnnnnDn+0:bN5x
                                                                                                                                                                                                                                        MD5:1905B32BD7DBD65D51E066D70ED8B6A3
                                                                                                                                                                                                                                        SHA1:1BC95603F4244BBD027C8181B2B968FBD4D32364
                                                                                                                                                                                                                                        SHA-256:2C7295B8F9741EA3AC6875460CEC8DD73E8AF43DCC1B8275F2C85BEDBD0E2F51
                                                                                                                                                                                                                                        SHA-512:1C9F63A85EECFFC3D26A21A1AB57D72D1E352D51EC20F9F573921FD972913F14B36968C8B087A5A8D87C15500F12E51767217D78802E9B603C787CB46E80F974
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R.f.........."...0......d........... ........@.. ..............................M;....`.....................................O........a...........,..0(..........P................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............*..............@..B........................H........(..H"...........J..`............................................0..).........,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.........(....,.(....+*(.........(......,..(.... ....(....+.....s.........(.... ....`(......&..(....,.....(.....(....(...........s....(....(....%(....( ...s!........~....("....>..rA..p(....(#...($...rU..p(%...re..p.%-.&.+.o&...('...((.....*..........................>....Js)...%rq..p.o*...*..0..w.......(+...%-.&.+.(...+%-.&.+$~....%-.&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58928
                                                                                                                                                                                                                                        Entropy (8bit):6.156715381451213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:QXZjAOF44/WlibUcNsEaHLBQD2LAN1LGk+CXdNTjRdg8eegCEpYinAMxCyd6gW:Qp5Fre8b/NOLCaENdGBCzXRdVeLD7HxC
                                                                                                                                                                                                                                        MD5:7F378E3B244D61A7812DF5D3AF545BAE
                                                                                                                                                                                                                                        SHA1:EF0F321D4EDB3BA46DEE6AE9D3F2B2BA242BCAAD
                                                                                                                                                                                                                                        SHA-256:DCCC80DC4DDDB1A1D17493BEC28BF66F1D25B439629B0EA78A90F477BB9A66F0
                                                                                                                                                                                                                                        SHA-512:756991A180A2D42AAD28BCBD38C357E88D0C229A8AAB8150DD4CB730AAC12E1B056D8388FAE5934E17CBA01BAE67E3444C6A7FEE42D513B6A6664C7729F40A15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N............." ..0.................. ........... ....................... ......o(....`.....................................O.......................0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........W..0|............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}D.....u....}C....{C...,........s....(....&+ms.......}F.....u....}E....{E...,........s....(....&+8s.........}H......u....}G.....{G...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1191
                                                                                                                                                                                                                                        Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                        MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                        SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                        SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                        SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1006
                                                                                                                                                                                                                                        Entropy (8bit):5.223933890381352
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:5wSHCniIqr4CaniIYpSVGYSEuhdrC7U4APUrB:mSHoiKhiJwVGDEmOUxgB
                                                                                                                                                                                                                                        MD5:C31A162EFDD55F78562A78168F502292
                                                                                                                                                                                                                                        SHA1:70E978D9E2E86A5DCCD4D832E19943F21435EE04
                                                                                                                                                                                                                                        SHA-256:836107D6FEC18B5F5C16A7AAE2A8B53FBAFEDC7F2FF3B5056FBA191C540942B2
                                                                                                                                                                                                                                        SHA-512:5993C9C05EE26F021C994F347FAEDFA1EF9DC84D539A910979CC1DFB2D63D173D796B7E4D0223B0955DA21F6E3083BEED5F7F2C9222280DC18D77741FEF8F2E1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..13/08/2024 20:56:06 Problem: Failed to extract path: .. Exception: System.IO.FileNotFoundException: Could not load file or assembly 'ICSharpCode.SharpZipLib, Version=1.3.3.11, Culture=neutral, PublicKeyToken=1b03e6acf1164f73' or one of its dependencies. The system cannot find the file specified...File name: 'ICSharpCode.SharpZipLib, Version=1.3.3.11, Culture=neutral, PublicKeyToken=1b03e6acf1164f73'.. at TicketingPackageExtensions.DownloadAndUnzipNuget.ExtractZipFile(MemoryStream archiveFileStream, String password, String targetPath).. at TicketingPackageExtensions.DownloadAndUnzipNuget.RunSync(List`1 downloadRepos, String targetPath)....WRN: Assembly binding logging is turned OFF...To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1...Note: There is some performance penalty associated with assembly bind failure logging...To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableL

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23088
                                                                                                                                                                                                                                        Entropy (8bit):6.501501704353423
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1LOGTOwM15TRwLm6orgNyb8E9VF6IYinAM+oCyyme:1nMTR0PaYEpYinAMxCD
                                                                                                                                                                                                                                        MD5:6A451EAA2F614831B8F92DA3B3C14984
                                                                                                                                                                                                                                        SHA1:6A8761DFF53DDA2CF22C0B185684D3299979EC05
                                                                                                                                                                                                                                        SHA-256:8D7B1FB1598CE54737C18576727976861A3064EED20BC02B070DDB75F438C42B
                                                                                                                                                                                                                                        SHA-512:7B5ED62C323BCC725EF5E63315347674A5916F7720CCCA389BB594F6F0B73D574F04CA2C26D795F18DAD51834054B64007561A977F54058F6AF3B9B0706802FB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ....................................`..................................F..O....`..L............2..0(...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1817648
                                                                                                                                                                                                                                        Entropy (8bit):6.551387792056093
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:G9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkPk:G9Nzm31PMok
                                                                                                                                                                                                                                        MD5:9C2F6B1A38DDB691A45F6ED5EE311B24
                                                                                                                                                                                                                                        SHA1:A7EECFD000869CC6DDB2A180649D71C1D86F2AB2
                                                                                                                                                                                                                                        SHA-256:4B86945BAFE5BD2381A83922ED2EFA4E6D06F998E6265E5B668718D4485E61FB
                                                                                                                                                                                                                                        SHA-512:47BF6E6E2A171C67FFF7579C95392DC50EFCA0B1F416438F49CA063C22411AC66FBC82B473358243DB499A50E2CBCBEE6B42A343C627A7F90908C8C3F7BD1DF6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ......................................................................`.................................................P...x................!......0(...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436208
                                                                                                                                                                                                                                        Entropy (8bit):6.781367706688584
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:3s5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEsQ:alI+vIjE7mjOuKa8Riy+gvhaIn2+0n
                                                                                                                                                                                                                                        MD5:41CDFA24B08B989CD6DEE220341BABA8
                                                                                                                                                                                                                                        SHA1:E7D53A4DEA83B7F43E34FB9154A7BCC2D0AC76CF
                                                                                                                                                                                                                                        SHA-256:1EF78A50CF2211641B86F93D1DD15142C7657250E2B134C204F95C83D256A346
                                                                                                                                                                                                                                        SHA-512:AFD93EE3F9F9897C45DA2AA639153EA06621B0A9DBC67210F7617389BF79C7449F1CB80036B66EA39C318121F9F6697EF8BF945958E882DC0812D85247B497E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X......................................................./....@.........................P...t.......x....`..................0(...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):582537
                                                                                                                                                                                                                                        Entropy (8bit):7.999529358280024
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:jFWPADWqxzsjJ/91r5+50BxeCMJuzjFxI5RWV7ZK5j:E8WQzz50Bxel0jzZU
                                                                                                                                                                                                                                        MD5:8C3A8B04727329AE1B41873E81F360ED
                                                                                                                                                                                                                                        SHA1:EF4647DAB3A94EF49769FC35DED7C9DD2E506A8F
                                                                                                                                                                                                                                        SHA-256:EF5E5D94D5EACDCEDE92FB99FC3439EDD44FE53E352ABE058FBB46E43066AB6D
                                                                                                                                                                                                                                        SHA-512:A47D96A9C97C6C6A5972182C5797C0B1B6A15B9DC7017CFE7798061540C5C686426473BA502B2949D0AA16547D92758E735BCF8CDA1C09A0326B14479239A6BB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....!gqX..*........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....0........a......e......C..\....#U....w.R(..xp.sg..,.N....D...m..5T.ur@.....xt$..A.x......J!..9...32F3.:@1>(...{;..,R7w%..T,<..d..R.......m.....u>..F.G...+.`@|..v.VL....4..7..e.u..w[.6.;.g...Y.4.x.LZ3......~......2.cK{....h..0.]3.4i...[.z%.o..~/.....3.....1....i.L..Yy..C..=.......t../..W.R...z.2...%./..>.......~,..j...|.i...95.A.O.. .p.P.YD.(.Z...:5kh]....:z..J.q...rO..I.l..d.?f+7..E...Eu..o..w......l..&.)..I.K....%8.f...)F_u.8.d...U....K,@..}..PD!..M1.Xm.G...:...?i!A.R....rE....suo.....{sC..+.a.......d..4.qf.3%.v64.....P...I..O.7...8..h..........Z..N...+.I.t..^p.......B.p..@.".D.+..#7..lr.$...NX.n.........g...F..e.L;..NIE%.......`.....1...K.H_.Xm....=_IO.b..m....2.u...ho ........:Fs-{......v..'...0LgGvIi_...%..[i.8....r..<.L.4...=.@...kS"NK.R@"X...+..9..Z...".....@..8|<.z...N..../j.Ns={.......xd.G..#F8.ei . .e...s.g.....fW..y....U..#.d.........z..i..D.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):5.836724024105667
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ExCQ5h7KT77yxeqGLQOFfxicft9w56PzePEpYinAMxC6:ICQ5hGP7T3kSBft9w56P6o7Hxd
                                                                                                                                                                                                                                        MD5:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                                                                                                                                                        SHA1:0613CAB68FFB3903A18ED5F4967D52B4815D2499
                                                                                                                                                                                                                                        SHA-256:9FBC99E85F5FA709D0D21854D4FE1FD420C7DEC8EC1F7105BE74EEB282EFFC8C
                                                                                                                                                                                                                                        SHA-512:D0A27917F420968355AF04D572D597F83D8011A86E9C32546C0A7BE493556AE0618894DDA04CADC935A16264D7685823425D1E57F1A0873F0119A74664F88956
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._..e.........."...0.............6.... ........@.. ..............................Q.....`....................................O.......x...............0(........................................................... ............... ..H............text...<.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H.......\M..Ph...........................................................0..Y........o.......+C......o......r...p.o....t%...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):535
                                                                                                                                                                                                                                        Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                        SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                        SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                        SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXTLd:WBTp
                                                                                                                                                                                                                                        MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                                                                                                                                                        SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                                                                                                                                                        SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                                                                                                                                                        SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=26.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.180127833270033
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ZJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxw1:ZQUm2H5KTfOLgxFJjE50vksVUfPvCY
                                                                                                                                                                                                                                        MD5:F8FE512BC57CBF44998221FD3C5944F4
                                                                                                                                                                                                                                        SHA1:7AAC2422B394A66FDAFA69B63CFF174ACCA1C867
                                                                                                                                                                                                                                        SHA-256:5D8527636659FAFA79AEB46A6C235C9C302EBEDF08196700C38C6592A404F71F
                                                                                                                                                                                                                                        SHA-512:AB5BCE24D24F441438A7DFD3E525511DFA2A865EC93BC39F25B5DD46E99EECEC8D2A0FB181BCBBD99D71F366FB00A47751B41A5926AA1031ACE905E453982E65
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186416
                                                                                                                                                                                                                                        Entropy (8bit):5.93420260026271
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:+kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFeJ:o+c7b1W4R6joxfQ8Q
                                                                                                                                                                                                                                        MD5:A22369218A10056E810C621DB7F390CF
                                                                                                                                                                                                                                        SHA1:17B681E178D96185987EFBF578DFD340A5FBF356
                                                                                                                                                                                                                                        SHA-256:987534702FC690CFB0C8B21691C91FF42268FD21C27925D93F0F788FBE03EE80
                                                                                                                                                                                                                                        SHA-512:6D49C50DF7599799902C7544C6B60300B8C2736719C408E828306ED7839EAC63AD5FC003E5FCA0F25623FBBED7244E0BE4F5EC2D7C6C529C53944603088B61E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.......................0(........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331824
                                                                                                                                                                                                                                        Entropy (8bit):6.169000089371824
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:QBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNT6:QDMUWITZznu85k8Wdn8KmCjIFi3VvG
                                                                                                                                                                                                                                        MD5:DDA5C3CE3FDBDD8A7EE32FD4C52E1A7A
                                                                                                                                                                                                                                        SHA1:8C01C9943BDBA54ED58FA308408AB5961647FF03
                                                                                                                                                                                                                                        SHA-256:42DBAE4DC463C840A39C9DC5A0DB218C565013EAF08CE2340DF78E1F83A3F0CC
                                                                                                                                                                                                                                        SHA-512:4C10E61D86F3822FFEFFDA55B0A0C6063C1AEDB9AF200A5747CA4F84754C396D88ECDCF25F54834EDCCDF303AFDAF6FF25116445C381AB77190A78AE3C286136
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@.......i....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960836949197253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:0Bja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUG:0Bjk38WuBcAbwoA/BkjSHXP36RMGj
                                                                                                                                                                                                                                        MD5:9B18B6E518E2088BC98D77C3ED163319
                                                                                                                                                                                                                                        SHA1:4F6C785597BBAB2BCAFE0527E99F2271D334B628
                                                                                                                                                                                                                                        SHA-256:ABBD5647F1F025E7D0B1148E909B3CE9D9CFEA3B737B156889C0EE33F4C42C92
                                                                                                                                                                                                                                        SHA-512:A2EA7FD06834A047AE64CDFA762CD55A8BC486912933E254EA565E1294C75CFA24DB66990C87881B05156F5549FC7E695E2439E736B7435EF8FABE7B36A5EF51
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55856
                                                                                                                                                                                                                                        Entropy (8bit):6.238978848951217
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:hREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpBEpYinAMxCWLg:hR8+5k15z0WBZEtgwJq7Hx3U
                                                                                                                                                                                                                                        MD5:DFFF197E97490BB88ACF7EBB14870A4C
                                                                                                                                                                                                                                        SHA1:F355204DCB7F9045A91F3C6E20AB9D54C42A1B6C
                                                                                                                                                                                                                                        SHA-256:65AA35A36E77421CAAE591068E7C3AD23E1DFE3D51D5FBF39F8F308B4F19970E
                                                                                                                                                                                                                                        SHA-512:6F450AE14BC9EE67D99E894CD1F256F7D6885D03C8BEC8AD449F26B0D2FA64036763432BBF69D5887C7053E7BF5B2EFC4030C584731054B5FF4F6EB335C16C15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......J>....`.................................P...O.......H...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):239
                                                                                                                                                                                                                                        Entropy (8bit):5.068403814008204
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:A0ZLEH9i9wqWluiKFHnFSLRg42VVxsCaUUEDcIRUvK8DBBBbBR5UBBU5EV2D2GQH:Azc9w3pKFSQzsBMcIYBJ5U74Dy7XzDX
                                                                                                                                                                                                                                        MD5:EEBC0CBB0AF8AB265F17E06A295B6B3C
                                                                                                                                                                                                                                        SHA1:EA2BE1B53C930D6830AEA35D5A975D8FEE83B2DF
                                                                                                                                                                                                                                        SHA-256:0C650245535306A33EE40CADEA00096997AB4B040468337BEC222A851D37A96B
                                                                                                                                                                                                                                        SHA-512:C55ED8F265F4FCE13EEB5ECA5A6BC7AF3E2F85288D34D93CED0D3B5C3D13149603399F256F0112DA444AD048B80930BD09F37707BB33F87ED93A750D1C951E14
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=it@netnut.io /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000CDtpOIAT /AgentId=219cfac1-8d31-4145-a06a-203fddd623c4.05/08/2024 16:18:10 Trace Starting..05/08/2024 16:18:24 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178
                                                                                                                                                                                                                                        Entropy (8bit):5.290965144619767
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:5PbTsPwTKD5oetiwhsWpUgMHDxYVurxWwEfrsf3J2MzqRI+OPkvOy:RbTuDCMiwhsWagMHDMul+j25rmRcfy
                                                                                                                                                                                                                                        MD5:A7585A010EF3274101105FE5BBEDDCD4
                                                                                                                                                                                                                                        SHA1:F72023C20F62C4F32A315B6AC6B8E36025366001
                                                                                                                                                                                                                                        SHA-256:D997FF37E3D3F9BBFC4BDD18B7DE9567E95525E6AC44B21848F450EB78FFAE38
                                                                                                                                                                                                                                        SHA-512:850CD7C1B75B3B8C11B7F654953C355C2BC006569396D6CD4CD6865BFFF263B11A036BE07BE4CC2DDE3BAFA347651B1D83B6B637967D41BE1863BD0CB7AC0C6F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:eyJJZCI6IjUzNjAxNjY5LTE0YWYtNDljYi05YWFhLWJhZGU4NTQ5YTBmYSIsIkNyZWF0ZWQiOiIyMDI0LTA4LTA1VDE2OjE5OjA1LjE3NTM3NTMtMDQ6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):239
                                                                                                                                                                                                                                        Entropy (8bit):5.068403814008204
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:A0ZLEH9i9wqWluiKFHnFSLRg42VVxsCaUUEDcIRUvK8DBBBbBR5UBBU5EV2D2GQH:Azc9w3pKFSQzsBMcIYBJ5U74Dy7XzDX
                                                                                                                                                                                                                                        MD5:EEBC0CBB0AF8AB265F17E06A295B6B3C
                                                                                                                                                                                                                                        SHA1:EA2BE1B53C930D6830AEA35D5A975D8FEE83B2DF
                                                                                                                                                                                                                                        SHA-256:0C650245535306A33EE40CADEA00096997AB4B040468337BEC222A851D37A96B
                                                                                                                                                                                                                                        SHA-512:C55ED8F265F4FCE13EEB5ECA5A6BC7AF3E2F85288D34D93CED0D3B5C3D13149603399F256F0112DA444AD048B80930BD09F37707BB33F87ED93A750D1C951E14
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=it@netnut.io /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000CDtpOIAT /AgentId=219cfac1-8d31-4145-a06a-203fddd623c4.05/08/2024 16:18:10 Trace Starting..05/08/2024 16:18:24 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):21853
                                                                                                                                                                                                                                        Entropy (8bit):6.103879624332085
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DXMaaS7OzfPB0jGh0SGdEMPtUBzBV4OHcvFcYluA/uYv96jrek/8j2+K84CSNV:IaaS7CfKjGCSGdEMGBr4DSYluA/u+9OB
                                                                                                                                                                                                                                        MD5:9984D21DA93D156F132B533D9A90F621
                                                                                                                                                                                                                                        SHA1:0CA5457517B19A1D3BB6C79047C51196FB44F7E5
                                                                                                                                                                                                                                        SHA-256:D283ADC040FF54062EC5E772AA606E1A049DBF2FE285EC181D691CD2F1727F86
                                                                                                                                                                                                                                        SHA-512:56672AD7C5FE23B7EBDC36FD4B0E9BBEB1D32AE40A002AFC4B4E839A1D0539FE63E8C1B61D9EF0A65413980761B417E1995CBC95A74E69A4F35D45E1A8B312A0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.# vNextDiag.ps1..# This tool is intended to help see a snapshot of the state of Office licenses..# as well as some basic management of licenses...#..# version 1.0.0....param ($action='list', $licenseId)....function PrintModePerPridFromRegistry..{...Write-Host...Write-Host "========== Mode per ProductReleaseId ==========".....$vNextRegkey = "HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LicensingNext"...$vNextPrids = Get-Item -Path $vNextRegkey -ErrorAction Ignore | Select-Object -ExpandProperty 'property' | Where-Object -FilterScript {$_.ToLower() -like "*retail" -or $_.ToLower() -like "*volume"}.....If ($vNextPrids -Eq $null)...{....Write-Host "No registry keys found."....Return...}.....$vNextPrids | ForEach `...{....$mode = (Get-ItemProperty -Path $vNextRegkey -Name $_).$_......Switch ($mode)....{.....2 { $mode = "vNext"; Break }.....3 { $mode = "Device"; Break }.....Default { $mode = "Legacy"; Break }....}......Write-Host $_ = $mode...}..}....function PrintSharedComputerL

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\LICENSE.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (514), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9519
                                                                                                                                                                                                                                        Entropy (8bit):4.902271147017698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ydP0KvBLCqikR/EgGJLrlwD+eilNi5Py1SDeoDXDw9lF5OMz6Q:PWBuqikR/EDJLriwlNi5KI1Tw9lF5OjQ
                                                                                                                                                                                                                                        MD5:31C5A77B3C57C8C2E82B9541B00BCD5A
                                                                                                                                                                                                                                        SHA1:153D4BC14E3A2C1485006F1752E797CA8684D06D
                                                                                                                                                                                                                                        SHA-256:7F6839A61CE892B79C6549E2DC5A81FDBD240A0B260F8881216B45B7FDA8B45D
                                                                                                                                                                                                                                        SHA-512:AD33E3C0C3B060AD44C5B1B712C991B2D7042F6A60DC691C014D977C922A7E3A783BA9BADE1A34DE853C271FDE1FB75BC2C47869ACD863A40BE3A6C6D754C0A6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MICROSOFT SOFTWARE LICENSE TERMS..MICROSOFT .NET LIBRARY ..These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft.. * updates,.. * supplements,.. * Internet-based services, and.. * support services..for this software, unless other terms accompany those items. If so, those terms apply...BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE...IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE PERPETUAL RIGHTS BELOW...1. INSTALLATION AND USE RIGHTS. .. a. Installation and Use. You may install and use any number of copies of the software to design, develop and test your programs... b. Third Party Programs. The software may include third party programs that Microsoft, not the third party, licenses to you under this

                                                                                                                                                                                                                                        C:\Program Files\dotnet\ThirdPartyNotices.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (755), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79954
                                                                                                                                                                                                                                        Entropy (8bit):5.2343129347468
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HA9jHwQZGfgg39/zwgAVkguQXrDjugtSEGepkWvrpX7anuqdLS4mfiStPq+3Lefj:HA97wfogz1AVxuujHtSFULryLggrGRwJ
                                                                                                                                                                                                                                        MD5:F77A4AECFAF4640D801EB6DCDFDDC478
                                                                                                                                                                                                                                        SHA1:7424710F255F6205EF559E4D7E281A3B701183BB
                                                                                                                                                                                                                                        SHA-256:D5DB0ED54363E40717AE09E746DEC99AD5B09223CC1273BB870703176DD226B7
                                                                                                                                                                                                                                        SHA-512:1B729DFA561899980BA8B15128EA39BC1E609FE07B30B283001FD9CF9DA62885D78C18082D0085EDD81F09203F878549B48F7F888A8486A2A526B134C849FD6B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.NET Runtime uses third-party libraries or other resources that may be..distributed under licenses different than the .NET Runtime software.....In the event that we accidentally failed to list a required notice, please..bring it to our attention. Post an issue or email us:.... dotnet@microsoft.com....The attached notices are provided for information only.....License notice for ASP.NET..-------------------------------....Copyright (c) .NET Foundation. All rights reserved...Licensed under the Apache License, Version 2.0.....Available at..https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt....License notice for Slicing-by-8..-------------------------------....http://sourceforge.net/projects/slicing-by-8/....Copyright (c) 2004-2006 Intel Corporation - All Rights Reserved......This software program is licensed subject to the BSD License, available at..http://www.opensource.org/licenses/bsd-license.html.....License notice for Unicode data..-------------------------------...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\dotnet.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139440
                                                                                                                                                                                                                                        Entropy (8bit):6.285914420289258
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:WwmRQoZmiyYIRPEgufW6see//RLlpseL5AXbwFWY+d:WwmRbZmiyAfClnRLlpfLyLyWYW
                                                                                                                                                                                                                                        MD5:CE8CBB6E38AD12C689FB7163909E26D6
                                                                                                                                                                                                                                        SHA1:E768FF143E96D957715EB6A63DA8BCE6A3AFF650
                                                                                                                                                                                                                                        SHA-256:980F40799FEBBD508652C7FE657A55B0E7BFE822E812C3070681896DA941BB69
                                                                                                                                                                                                                                        SHA-512:D6E49FE67A5239ECF39C6C871975E7DB15BD9BECECF208CD0E60DCFFA52B4BCF3C0A68894A56907FFD8626781AC898247633499B5F40D0A04AD16BFE2890658E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..}|...|...|...../p...../v.....//...u.).l...../y...|........./t.....E.}...../}...Rich|...................PE..d.....lf.........."......J.......... ..........@.............................P............`..........................................................0..........8........(...@..........T.......................(.......8............`...............................text....H.......J.................. ..`.rdata...~...`.......N..............@..@.data...............................@....pdata..8...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):378144
                                                                                                                                                                                                                                        Entropy (8bit):6.30005759256042
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+CrkuaHqY/1EtiaDC3+Gr4iAOs+WEAO2gcmgrW09S:JmHqe1E3D/iAOsksH9
                                                                                                                                                                                                                                        MD5:9D67514FE36639B7EDA307FB46D27178
                                                                                                                                                                                                                                        SHA1:B8BA4CA6BCF2E5740B7E0F7A077FC72B1248BAFE
                                                                                                                                                                                                                                        SHA-256:EC8F92F2BCC5F6EE94605B7883E663236F2A2F578F4E610EAE9934CBD4266FE9
                                                                                                                                                                                                                                        SHA-512:4CA3BB0167F7F2512BFB1CC69B72FBDEFC4D3ED7679BA7ABD4B8C60F42DF2B95F6B44550F5A14C5843305B7705634D9B26327D87BB24F2934ABB5FF94C54AEA8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k..|.I.|.I.|.I...H.|.I...H.|.I...H.|.I...I.|.I+..H.|.I.|.I4|.I2..H.|.I2..H.|.I2..I.|.I2..H.|.IRich.|.I........PE..d...i.lf.........." ................................................................3.....`A.........................................P.......R.................../...... )......|.......p.......................(.......8............................................text...,........................... ..`.rdata...S.......T..................@..@.data...(....p.......T..............@....pdata.../.......0...^..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.version

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50
                                                                                                                                                                                                                                        Entropy (8bit):4.101984511178706
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:3SVNHUdSBnO2RUiXXdJ:LdSBO0z
                                                                                                                                                                                                                                        MD5:51BD796C4F311A08FFB7781E5D032A93
                                                                                                                                                                                                                                        SHA1:F91A587530005F6A7EDC281B2C86FC3B0369F676
                                                                                                                                                                                                                                        SHA-256:D684BCA93AB166D9929058855272376468E4D58425040467C5BF329725468116
                                                                                                                                                                                                                                        SHA-512:421A623385F5DEC6526A6765C13C3F6F4DD177F1C11A8894618BB3EDE1D87165442749350BCFF9BF0781C8DF81C2DCBBD331A20532EA229197D14FCC82199A83
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:e77011b31a3e5c47d931248a64b47f9b2d47853d..6.0.32..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1042592
                                                                                                                                                                                                                                        Entropy (8bit):6.758579311481363
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:u4NoNIdwu/Mw+u1xjx1Rb+Vu9yHTzsYVhdi4YBa72DS:uHNIdwuBLlPb+Vu9yHJXiZO
                                                                                                                                                                                                                                        MD5:58494487C1CD786C3AA26773E28B59EA
                                                                                                                                                                                                                                        SHA1:2B9E1F70AFC82DDAF1ADC1A7040FE960FAEB4D6B
                                                                                                                                                                                                                                        SHA-256:800E688FF423393F2741BE90BC6177B37F7077C11A885A3AE3C5AECEF941D521
                                                                                                                                                                                                                                        SHA-512:F4FD17EAD8F5039993B8EE9222CF61CAC841528578BDF5326B2AEB2FAAEF0CC6798DB301DC84035FFAE2BDAEADC93F7B63EAFE98727E09F25374455E2B6838DB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...._............" ................................................................0.....`...@......@............... .......................................6...j.......(......<...hD..T...............................................................H............text............................... ..`.data...D...........................@....reloc..<...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2309152
                                                                                                                                                                                                                                        Entropy (8bit):6.414576855139372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:jH+fGgFyzuNiG6H0n8D1gkrz/OAyFAopdrq/c/:+GgFQq8DT/ZyFDN0c
                                                                                                                                                                                                                                        MD5:A71CD05C01F0FC603C0BD782516F806D
                                                                                                                                                                                                                                        SHA1:C15E261D5E7318875D324D28AB70A883CD434C81
                                                                                                                                                                                                                                        SHA-256:7F8DCF37D9D66EAE14C48A79FA2FCD447BD0F38A21BE0203A9C4A89398AACF28
                                                                                                                                                                                                                                        SHA-512:CE53F6DC1F02889ED6FB1F8DF226F9BADBB039F79505CDBD599A00A32B6617DA5E19F2AD7F76BB8134B3CCAD39FAB2209ED8EC6AE42CD30402C4E450FC19FA88
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wq0...^...^...^.Xh]...^.Xh[..^.XhZ...^..]...^..Z.'.^.Xh_...^..._...^..[.m.^..W...^..^...^......^.......^..\...^.Rich..^.........................PE..d....ZY..........." ...(.....\...... 0........................................#......)$...`A.........................................Z!.p....[!.P....P#.......!..W....#. (...`#..>.....p.......................(....U..@...................0Y!.`....................text............................... ..`.rdata...Y.......Z..................@..@.data....a...p!......^!.............@....pdata...W....!..X...t!.............@..@.didat..p....@#.......".............@....rsrc........P#.......".............@..@.reloc...>...`#..@....".............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.deps.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32962
                                                                                                                                                                                                                                        Entropy (8bit):4.3074461179606
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:+49mVEsIhKPMEPrT3XCGjDyiEc6BHa21Fe8kFN92uwtEeCJyX:voVEsIhKPMEPrT3XCGjDyiEc6BHa21F1
                                                                                                                                                                                                                                        MD5:8E0F8427C729E6B4CF95998F846A0887
                                                                                                                                                                                                                                        SHA1:201AD7BE0AD49C2C2DBE7C27B86A9295DCF0ACB0
                                                                                                                                                                                                                                        SHA-256:335A13F00FB336771FBEA2BB4A29E99E6E8BCF17B8C484091D256A99AB5DFDAF
                                                                                                                                                                                                                                        SHA-512:368D3F644361014808932F21C6324153D2A250B6FF869A8F261F68CCF2C93874F72CDE8B474B3A7E4E54A7B10649B50F83E3AE5910D325E8CF7A77BA06DD9EE5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0/win-x64",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {},.. ".NETCoreApp,Version=v6.0/win-x64": {.. "Microsoft.NETCore.App.Runtime.win-x64/6.0.32": {.. "runtime": {.. "System.Private.CoreLib.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "Microsoft.VisualBasic.dll": {.. "assemblyVersion": "10.0.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "mscorlib.dll": {.. "assemblyVersion": "4.0.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "netstandard.dll": {.. "assemblyVersion": "2.1.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "System.AppContext.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3224.31407".. },..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.runtimeconfig.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159
                                                                                                                                                                                                                                        Entropy (8bit):4.54941695087313
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:3Hpn/hdNxDI/pANC+KL4nNOcW3mJAGRM3Bojqy2VKXmHEk/FTy:3Hp/hdNyhAk+Q6NOCUo+K8EkNTy
                                                                                                                                                                                                                                        MD5:3FBD84A952D4BAB02E11FEC7B2BBC90E
                                                                                                                                                                                                                                        SHA1:E92DE794F3C8D5A5A1A0B75318BE9D5FB528D07D
                                                                                                                                                                                                                                        SHA-256:1B7AA545D9D3216979A9EFE8D72967F6E559A9C6A22288D14444D6C5C4C15738
                                                                                                                                                                                                                                        SHA-512:C97C1DA7AE94847D4EDF11625DC5B5085838C3842A550310CCA5C70BA54BE907FF454CA1E0080BA451EACFC5954C3F778F8B4E26C0933E55C121C86C9A24400B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1245360
                                                                                                                                                                                                                                        Entropy (8bit):6.768935404732361
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:tmvclJOXFDjW/lWSGcIyEAGY/7YlDwCi/Io+dw:QvcHOXFPW/lRGcDEAGYhCiN
                                                                                                                                                                                                                                        MD5:D9062214FEE5FE8D1903D3FCF1E1FBEB
                                                                                                                                                                                                                                        SHA1:34C9078D2F4F70646313975022A117192214FC4A
                                                                                                                                                                                                                                        SHA-256:F0D2D4D1E1B38D1449E51F5BFDC73B25C24F8659D98871BDDAF0650B88982538
                                                                                                                                                                                                                                        SHA-512:2B4A0D678B3AAD2E5665C71B9576522B0997E3B802BF260B785EDAF5B0DB390639A34EAF1F5D02B520272E1247968F9B4819198719418180ED4DBFC935C8E914
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ..................................L........k.......(......l...(D..T...........................................................P...H............text............................... ..`.data........ ......................@....reloc..l...........................@..B............................................0.......................<.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............d....z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........R.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18184
                                                                                                                                                                                                                                        Entropy (8bit):6.586065972352763
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:59SphH3czeYtcxWmH6t9QdWaYA6VFHRN7WDpSR9zWiBcfCg:5kHMzbJ+FClipe9z5cT
                                                                                                                                                                                                                                        MD5:F5A860792D6CE3C90865FBFBBC811026
                                                                                                                                                                                                                                        SHA1:CD7E52880FCC072C2CB743D040E7AE67C7B79D1B
                                                                                                                                                                                                                                        SHA-256:833AFA20C11993D9260EF08CA493462CC182B940ABBB7FAE0BAE359EC114CCF1
                                                                                                                                                                                                                                        SHA-512:A6FD6CCA6FDCDD18604DB8C21ED9BE7263CB779298F5BE51A05FDC1BEB453FBF3C7B7E759031CEE54F476439975F2733FED3B539F70E8D02777EAF3091220961
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.@..........." ..0..............2... ...@....... ....................................`.................................{2..O....@...................)...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......P .......................1......................................BSJB............v4.0.30319......l.......#~..p.......#Strings....l.......#US.p.......#GUID.......H...#Blob............T.........3....................................K...............2.................<.....d.J..........."...~."....."...}."....."...}."....."...d.".....".....x.....x.............................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):26272
                                                                                                                                                                                                                                        Entropy (8bit):6.550629473321971
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GWhPKpWCZWnjmMDQnqyXhcuolXWcYA6VFHRN7yfUiHR9z70+I:40jm5n5XivDFClTQ9zG
                                                                                                                                                                                                                                        MD5:EC5D0ACACD99FFD68DB813B11F04965C
                                                                                                                                                                                                                                        SHA1:AEEA184FA29CD03087E92D25B47EECA5DA0EC09D
                                                                                                                                                                                                                                        SHA-256:85EB1682060ABD5B680267B1F4A8FD3F9141919781A7A4F259F50AC99C1CFD5E
                                                                                                                                                                                                                                        SHA-512:C19C3B504F16015C4DFCBF4F3EF0CE2652C661823765B7FC9D709FD844831C1C03AEB3FAB9B12F850920CFA632C9C969EC6F466A13CA9AD96C69CC26D5FD2E80
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4............." .....4...................................................p...........`...@......@............... ..................................D............>...(...`..\...8...T...........................................................H...H............text....2.......4.................. ..`.data........P.......6..............@....reloc..\....`.......<..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):87712
                                                                                                                                                                                                                                        Entropy (8bit):6.6073982140765795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:xyjecxml5gdJKCILek2ymrsykEomWxGsViqo5qkbqkikzhma:xyjeIml5KJKCdy5ykE8xGsViqCqszjD
                                                                                                                                                                                                                                        MD5:E1E1078BD5CE3EB3865684D082839E72
                                                                                                                                                                                                                                        SHA1:DF92E8E112F30DB28B49018023E7E6433170E755
                                                                                                                                                                                                                                        SHA-256:6EB1A0E98D684C6F647092299C680186A2F80C571C137043B1AF9B0FF0518C81
                                                                                                                                                                                                                                        SHA-512:ECA6E8A8E589FF01A97D8A62F884BBC7BB9A39F074502DD3EF8B6AF0D9D81FB8F97C5DCADAF638386BBAD1E57083A4DAB475BFE80FC25488CC701D8E31596ED4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...KT............" .........................................................`......1,....`...@......@............... ..................................8...p............(...P..........T...........................................................8...H............text............................... ..`.data........0......................@....reloc.......P.......,..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15632
                                                                                                                                                                                                                                        Entropy (8bit):6.786322181535639
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:/GyxxBHaW+E7WJpWjA6Kr4PFHnhWgN7agWe5Y00pyEuX01k9z3AD4IQvpIS7WcU:/zrHaW+E7WJYA6VFHRN7pEpcR9zt5zU
                                                                                                                                                                                                                                        MD5:F65763C85CFE0BE955E9BB620DE349C9
                                                                                                                                                                                                                                        SHA1:9B7A9FC65982CC76E859B5605C9DE2C384AD8528
                                                                                                                                                                                                                                        SHA-256:7C804005A4E369C54E2FEFB338C3C1BC2D0AAFA6AA6D0FEE51F9AB161B8C8034
                                                                                                                                                                                                                                        SHA-512:8173154BDA7F16957182495692E19E1B71F26D9B7E1E9CB753A7B1D05A7BFCC2F9B51B83E53343EEE02A5C312307576B5218937E238F99B6D1209F86B5CFD995
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h_............"!..0.............^)... ........@.. ..............................-.....`..................................)..S....@..h................)...`......d(..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................@)......H........ ......................P ......................................Ba.6?o.y].'@.....H.5l..X;..g.8...!..o.1..nMFN..y.P6-...$.(v...[..v*....S.2..`..w6.yX.E..G...m...KhRRs..2+..6..7e.......7..CBSJB............v4.0.30319......`.......#~..,.......#Strings............#GUID...........#Blob......................3................................................".p.....p...;.>.........f.............Q.....Q.....&...!.&.....&...[.&.....&.....&.....&...B.&...O.&...v.p...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                                        Entropy (8bit):6.770683864726388
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hb+0jWYb2WapWjA6Kr4PFHnhWgN7aIWPALBm+0U8X01k9z3AlL0w:hFjWYb2WaYA6VFHRN7uCBmo8R9zML0w
                                                                                                                                                                                                                                        MD5:63A871EC790F87FD651C5C31191669D3
                                                                                                                                                                                                                                        SHA1:B1DCA1FAF1A6C68840252F50263A3F83FCF1B089
                                                                                                                                                                                                                                        SHA-256:4505FB902833DA7A84AEE6940ECF1214FE4D58A5538C6E1B9D24B9A5F4BA542D
                                                                                                                                                                                                                                        SHA-512:FC3953902E06E563644D075E535F5F7ADB274513C608412C123520A60FA3DFE5FCC5E54D1580F7E4C35CFE3C7000414B6AE5A3985B097D85A3AFFDFADDFD6836
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e.W..........."!..0.............^)... ........@.. ..............................6.....`..................................)..S....@..X................(...`......h(..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................@)......H........ ......................P .......................................P."jU.=s..u.....&%....#p..rEc...#7.{f.'......z....wO.vIF...b<......9...q..$b'...$9.$e...r.. ......I;..a..|.n.\.J].l.-[/^.c.BSJB............v4.0.30319......`.......#~..,.......#Strings............#GUID...........#Blob......................3..................................................y.....y...G.G.........r.......(.....Z.....Z...../...-./...../...g./...../...../...../...N./...[./.....y...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):246944
                                                                                                                                                                                                                                        Entropy (8bit):6.848188639113924
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:IsS/sAVyNURkbEf5+i6MKORygikbyO2aGJ0pebyz:IslArRvt6MikbD2lieyz
                                                                                                                                                                                                                                        MD5:EE80410AB6F7E4CCF5AF69610B88C961
                                                                                                                                                                                                                                        SHA1:6136CF0F7AF46A00867631E83C912F1CAA9924D0
                                                                                                                                                                                                                                        SHA-256:1ADAEC2435191BBDCB569BF6847D8DADBBD8311E8D4A197A8E589422184673FD
                                                                                                                                                                                                                                        SHA-512:62038BB7A1482B61E8465E6586CE041D8FB43600CC97A4FE9360B5A7D9808493F7E4D846B7FD83E9ADBFA00E83442208BF4955CB8E5AFB55B8C892021EBE88E9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....`...:......................................................I.....`...@......@............... .......................................e...........(..........P...T...............................................................H............text...._.......`.................. ..`.data....5...p...6...b..............@....reloc..............................@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...C.o.n.c.u.r.r.e.n.t...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):666272
                                                                                                                                                                                                                                        Entropy (8bit):6.7865309669778995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Q36VIpN0cAxbgmaoB7yPXz66M4cR+c2/oMytOobmJS:Q3OZzaBruLqo
                                                                                                                                                                                                                                        MD5:2213144DBE8516B61EC845255E800E41
                                                                                                                                                                                                                                        SHA1:1B9BC3BA892B6F00AF3A83E3D7539C8118BDB551
                                                                                                                                                                                                                                        SHA-256:3A902B104DE903DDCB9C1FEC58A9D95769F31564D967008AD7232D08C5CD48E6
                                                                                                                                                                                                                                        SHA-512:916EB3A7B4306E2A47F9371DCD6BBB842435C5BDD99E967CE99736F316D445EC5212AD99BC36F1DBF705835077FBB54D415226118B4AADDFC98D6833ACA2A490
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................... ......l.....`...@......@............... ......................................4...P^.......(...... ...."..T...............................................................H............text............................... ..`.data...:.... ......................@....reloc.. ...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...v./...C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e. .p.r.o.v.i.d.e.s. .c.o.l.l.e.c.t.i.o.n.s. .t.h.a.t. .a.r.e. .t.h.r.e.a.d. .s.a.f.e. .a.n.d. .g.u.a.r.a.n.t.e.e.d. .t.o. .n.e.v.e.r. .c.h.a.n.g.e. .

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101144
                                                                                                                                                                                                                                        Entropy (8bit):6.4771157203569025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vQqNPxgJRRQWsBTkyo+XBQCXeCLDrkEIE:4gxgJRbZEd
                                                                                                                                                                                                                                        MD5:C12C92B54FB343C99F8D01768A366D6E
                                                                                                                                                                                                                                        SHA1:51356DD0B443F14D894F9594F99F115B005104B1
                                                                                                                                                                                                                                        SHA-256:454712AD098DBB00653234FB5E7FB5E6EA7820813D34F0833BDB0D0CC7186CB5
                                                                                                                                                                                                                                        SHA-512:04D4E99B80083A9D6211945210AFE039917D182FDAD0BA035D8DFB076A048ABA3CEC5244E68C06C0068FA592468087EACFA164938232B015E4AE785DDFFAAF04
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Gr............" .....L..........................................................?.....`...@......@............... ......................................83.......b...)..........X...T...............................................................H............text...@K.......L.................. ..`.data........`.......N..............@....reloc...............`..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...N.o.n.G.e.n.e.r.i.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95512
                                                                                                                                                                                                                                        Entropy (8bit):6.5344887890851435
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:da5jcaL7hPvoiTCxaDVvkDTC5O7/LyY20SRhpVeypaWszC:dmQC7ZNBsDTs+zyY20SRhpVeygn+
                                                                                                                                                                                                                                        MD5:47D9EE750FD6A7828D0A6CA892BC9E46
                                                                                                                                                                                                                                        SHA1:B0C23A5894F29A6725209E0EE38AAC135C506F8A
                                                                                                                                                                                                                                        SHA-256:53A99E65EC985625A9CC307F1307D2B8B353388A60E311DF1E7467D7DD22E6BB
                                                                                                                                                                                                                                        SHA-512:36C793702FED17B293A8204D555B1675E5297BA5DB84A3576324E4CCB601F1ED0A6B7BF997E51C9B77C5DCFC39D4639F5F3A30BC7D825CD7304A741CC816AA8E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....+..........." .....6..........................................................k.....`...@......@............... .......................................0..h....L...)...p......P...T...............................................................H............text...x4.......6.................. ..`.data...\....P.......8..............@....reloc.......p.......J..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...S.p.e.c.i.a.l.i.z.e.d.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):264992
                                                                                                                                                                                                                                        Entropy (8bit):6.7616104773576104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:f0bzf+JuwsctkH2KrzQ5t056pAje2l3ki7CL/df:f3JuwDiHQNW/7CLlf
                                                                                                                                                                                                                                        MD5:1EA34151310783585A8326FEF2FA355C
                                                                                                                                                                                                                                        SHA1:19F78734D779A14DA4B09443395A57BAB652353C
                                                                                                                                                                                                                                        SHA-256:61EF7CE0CB1459E2D58AF1795DD0BAFE8C925DEF4620D7EF756BA8EA9C51C0B6
                                                                                                                                                                                                                                        SHA-512:8C42C677026FBE809FB70DE051FF84B31653B07C5D0610358721E529F13563173729793E77F96EF0D966221E1BCE1A863EEBA7E65463A0B9734D5E5C798F95B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...O............." .........@............................................................`...@......@............... ..................................t...,].......... )......,.......T...........................................................x...H............text............................... ..`.data.../9.......:..................@....reloc..,...........................@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...C.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):187040
                                                                                                                                                                                                                                        Entropy (8bit):6.460139009818362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:1vPOpAmODFRGaOsFLvjF8IbGumTG5D5/vbF6d+F7iWY9LYw8XBd:h2psT2q1QG5NF7xwLYw8z
                                                                                                                                                                                                                                        MD5:AB0D22D8A5CD9A8C09A8E7E8F4B105B1
                                                                                                                                                                                                                                        SHA1:B9665F5A2298FB916935FE0D57A2AF351BBC8355
                                                                                                                                                                                                                                        SHA-256:4F5273AC3DE8AF28FB9DC7F931AAEB436E830EC79A6BB7B30790149F748A81E0
                                                                                                                                                                                                                                        SHA-512:157A76501C1C233CEBA5A0E77566DFA90FEA0153B7C3DDFB6D99F8809BF817774E6193EDD46B026F149BC0C07E405A0998EE511FD6914080FF14412B56236E78
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...d............." .....v...:............................................................`...@......@............... ...................................... G...........(..........("..T...............................................................H............text...*t.......v.................. ..`.data...a4.......6...x..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...\."...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...A.n.n.o.t.a.t.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...l."...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17672
                                                                                                                                                                                                                                        Entropy (8bit):6.641311069044931
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:B8imyfJe9eGXxC4rcUXWuQXWWYA6VFHRN7Y6/7R9zb3cW4:B8jY1VFClY6F9zoW4
                                                                                                                                                                                                                                        MD5:593284F27C1B10A3B988C719A80F42B0
                                                                                                                                                                                                                                        SHA1:8DAA1B77155A6A80943E7CDE345D0D6A5D3392D8
                                                                                                                                                                                                                                        SHA-256:451E52F8C52FA0CB5F6F9F0AB15948B7F0F31371FBBA578DE9BDBA414DC0438E
                                                                                                                                                                                                                                        SHA-512:5C54051004C55CF2D7B25F3D74BBABA051EB79F510383BDBF0E62F622B02C9E752C4D3F11005533D2C0F2F6542A371D0672101A8FFB8BF6F70F952E5F138E63F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............0... ...@....... ...............................=....`.................................;0..O....@...................)...`......8/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................o0......H.......P ..h...........................................................BSJB............v4.0.30319......l...D...#~......L...#Strings............#US.........#GUID.......X...#Blob............T.........3....................................+...............M.p...P.p.....]...........................O.....7.................>.....[...............................9.....p.................W.....W.....W...).W...1.W...9.W...A.W...I.W...Q.W...Y.W...a.W...i.W...q.W...y.W.....W. ...W.....W...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38576
                                                                                                                                                                                                                                        Entropy (8bit):6.482988194804308
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZWvdwWWoG2fC/yrkEWyiIo/DstPAoWbEwbLmkDxTip9kZFDXSO88+6EZccdwVOR0:IkdyrkRPwqfxI484taDuKWWts89zi
                                                                                                                                                                                                                                        MD5:B90AB8335BE300D2D6CCD4A8D6F9B087
                                                                                                                                                                                                                                        SHA1:1E0C8A067E0ECDE4EE76B92E0B4584BFEC356B80
                                                                                                                                                                                                                                        SHA-256:D84C335A6D2CA1BC60A08ABB82EAE992865ABEA238EE9AECF409709E35A1D8B3
                                                                                                                                                                                                                                        SHA-512:1BF05FB931667B0D85C2DF8219A135647FC92A0DC59FFF352B88570694E719AB1A81E7942F555EC4F14A57EDB0A04CFAD1FB3884DE2FB0EBCFB3BD6EC5EFAF67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....b..........................................................q7....`...@......@............... ......................................$...x....n...(..............T...............................................................H............text...Ra.......b.................. ..`.data................d..............@....reloc...............l..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...d.&...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...E.v.e.n.t.B.a.s.e.d.A.s.y.n.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...t.&...F.i.l.e.D.e.s.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75528
                                                                                                                                                                                                                                        Entropy (8bit):6.423261308572458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:XnGO8FwPsQAtTKNI6T1mb1yF0YDC2oKQ15hv97Q8a7ehFClV5iK9zH:3GeUP6kYFlC2oKQVZ8uiV5nzH
                                                                                                                                                                                                                                        MD5:1F9A3B96F29E4D2F255F9F415202545E
                                                                                                                                                                                                                                        SHA1:5C7C07B718C0F6F4BBFFFC2F0B15EC5FFC71A18C
                                                                                                                                                                                                                                        SHA-256:0C7FEC8BB98188024E540B5B07138DC687A64A7BD7BCB0184F94B883CCC6573B
                                                                                                                                                                                                                                        SHA-512:88A435AC1F0EE381E8CE873D1B59BDF34C94B9C081C83421AB0960954463CA44A8DFCC1899FCE4CA9EF3F1B04A7E2F1534B0C1A2E3D03213638F00B7E7942261
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....i..........." ......................................................... ......t&....`...@......@............... .......................................&...........)..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...P.r.i.m.i.t.i.v.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):744608
                                                                                                                                                                                                                                        Entropy (8bit):6.69105296530575
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:D9LNoeQ4iz7+tGNAZ4TVR+aAFMAmquhQa734HqPl0nVUSfDNzPJ8QeBnd8ctZI3B:v54jTVR+aAFMAmqu72KQeBnDtZIdl4le
                                                                                                                                                                                                                                        MD5:0103B7C4543CE5C30E0772318D95903A
                                                                                                                                                                                                                                        SHA1:43576B591E533BD165FCFE67C795B29C413FA45E
                                                                                                                                                                                                                                        SHA-256:607B67AA9B2DED9244581F7695D0F13F1B42231632AFCC42B1292A51E17B5D42
                                                                                                                                                                                                                                        SHA-512:A4547E5DF90BA94723CFE3DE77471EF644BD92E3800B367483EB8A2A99079AB4A6009B27AECF253C6C611768D8E27509215A492997779BD216BD91DEC408B3BE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...u............." .....h...................................................P............`...@......@............... ...........................................]...4...(...@.......=..T...............................................................H............text...kg.......h.................. ..`.data................j..............@....reloc.......@.......&..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...`.$...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...T.y.p.e.C.o.n.v.e.r.t.e.r...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...p.$...F.i.l.e.D.e.s.c.r.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18592
                                                                                                                                                                                                                                        Entropy (8bit):6.578998888705223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IpW4W1WhvBQScpij+7Co0WECYA6VFHRN71Bmo8R9zMLK2B:lnScNx7FClHmoQ9zFM
                                                                                                                                                                                                                                        MD5:ACFE404D1F4FC2A4764CB8730F694669
                                                                                                                                                                                                                                        SHA1:4B226ED287BDF7BA97E7920A0A63D72984DA8737
                                                                                                                                                                                                                                        SHA-256:C3BBD79CAD9FC5A8131A2A80E452EB517B470D7AA890BB0D9DAA85733705DCEA
                                                                                                                                                                                                                                        SHA-512:8D970290BB05E05AEB94B109B326C354B9F5C60A6DF276D3DE48AD7FF3E5F11CA8CEABC9898595B30AEA3B2A776F04457B4A4878F7ABAEDE11A18C244CB935F8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................P............`...@......@............... ..........................................`.... ...(...@...... ...T...............................................................H............text............................... ..`.data...N....0......................@....reloc.......@......................@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19632
                                                                                                                                                                                                                                        Entropy (8bit):6.558847302673581
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:HXoWX0yXQB1uXTSv/fvNRvGZYdf3zyP/weAEyUDhlWvONWHX6HRN7P6R9zqg67Pv:QniA2eWP29zm7jz
                                                                                                                                                                                                                                        MD5:5F280F450CBCE8D1E6604BF2CEC2420F
                                                                                                                                                                                                                                        SHA1:318D47DD9EAC1856356F2BB2A7A688F0B5B6EA7D
                                                                                                                                                                                                                                        SHA-256:EA9D9416D88ED906C118675224CA7DF5DCE0B6F7E0A9FF0331F32D56718B116A
                                                                                                                                                                                                                                        SHA-512:8D0A77D17D63AEE05308E5F167B17B5615F705802A3FA45FB91B003A47C4289CAFA8C7814D121F83E8DA37B3CD86AD1A89CDDAA7AA717E46E9F6DA3547E49A12
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D]..........." ..0..............9... ...@....... ....................................`..................................9..O....@...............$...(...`.......8..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ......................88......................................BSJB............v4.0.30319......l.......#~......h...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................h.....D...............s.......|...............D.z...............Z.................0.....M.................<............."...,...................v.....v.....v...).v...1.v...9.v...A.v...I.v...Q.v...Y.v...a.v...i.v...q.v...y.v.....v. ...v.....v...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):156832
                                                                                                                                                                                                                                        Entropy (8bit):6.5964367947706215
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:K8z3iIcbCwq+p1waxbwbKBUOmOaYMGFyCN:veLh67clFys
                                                                                                                                                                                                                                        MD5:201166FA1E8E70153B374329A0FD284D
                                                                                                                                                                                                                                        SHA1:BFB399E7F79619B38BE849AC6B6A98AEE8E6A2D4
                                                                                                                                                                                                                                        SHA-256:0DCE6AEBDD65D76FA922723DA65CA8BF1207F93B44B0B201BB2FE16A24A7EDA9
                                                                                                                                                                                                                                        SHA-512:B05620B66789CB71635258A7BAB8C7D7B79260CDCA22EE9214241B017BAB8C2D31583ED0A2DE02AABDCDD39E4FD25FEF4292D6E221CF56F2500DC6F92F014188
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....^}..........." .........$...............................................`.......S....`...@......@............... .......................................<.......<...(...P......p...T...............................................................H............text............................... ..`.data........0... ..................@....reloc.......P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24328
                                                                                                                                                                                                                                        Entropy (8bit):6.298742718525896
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8sIbPFWOUSnPEW51b04H9DGMq/tE8aQjryAkxkBm4U1zXtBC17KIDRWXb2WjYA64:8vPFWOUSnP751b04H9DGMq/tE8aQjryH
                                                                                                                                                                                                                                        MD5:40D5E469C55306B8672F327B8E4B9667
                                                                                                                                                                                                                                        SHA1:EB53D4C4978A760DFB27FDA5934E023102FFD64B
                                                                                                                                                                                                                                        SHA-256:5EF5D3758C1B1EAB45BBD17D6CAFBFF6510E284A47E385C81DAEC6559D5A0796
                                                                                                                                                                                                                                        SHA-512:34D9D261B2DECDA332D1E6469F903E436CB66FA6780C6091AC0FFB7846998A18674191132B3E55778673D5164EFA5CBC6D0DF28BEAC1F8B896FDFE086D82A5B2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.\..........." ..0..,...........J... ...`....... ...............................7....`.................................CJ..O....`..8............6...)..........tI..T............................................ ............... ..H............text....*... ...,.................. ..`.rsrc...8....`......................@..@.reloc...............4..............@..B................wJ......H.......P ...(...................H......................................BSJB............v4.0.30319......l.......#~..........#Strings.....%......#US..%......#GUID....%......#Blob............T.........3............................................................................1.N...c.................y.....0...........].....z...................................K...................[.....[.....[...).[...1.[...9.[...A.[...I.[...Q.[...Y.[...a.[...i.[...q.[...y.[.....[. ...[.....[...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2983600
                                                                                                                                                                                                                                        Entropy (8bit):6.812192303137626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:QGXvwoaHeJ4TJYdj/Ic8u07EPba92I7aE0Vnv1XgVi4nNmccxbDpBsnTzkt2By6:FXIle6lscc+mxEx
                                                                                                                                                                                                                                        MD5:03E0F23A9AFFBE826691D59679FC59D9
                                                                                                                                                                                                                                        SHA1:629C03AC4766F367D21F6C8C9661DB55B7C8181E
                                                                                                                                                                                                                                        SHA-256:2798A9381AF5A44D712F2DDCF8CF123F9BFE9CA2514DD1997595D58F4B6CF6BE
                                                                                                                                                                                                                                        SHA-512:918EFE2983F2BE6105321414CFAC95ED629CAEBDA037EC64497EAF4BDC43D26DF1DF1E47FC2F073044854DD3E53CC45DD5348C8DBC8A2AE41EA55CC41818A8E8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....r+...................................................-.......-...`...@......@............... ..................................t....&...K...^-..(...`-..&......T...........................................................x...H............text....p+......r+................. ..`.data.........+......t+.............@....reloc...&...`-..(...6-.............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.a.t.a...C.o.m.m.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.654164203598564
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CILuSHbxjWa07W7YA6VFHRN7O049R9zaxW8:LuPwFClO069zQW8
                                                                                                                                                                                                                                        MD5:D4DB1A835333B83021EDBD1EDEB6D27B
                                                                                                                                                                                                                                        SHA1:2C02C06D2C5833E9D4C7B9A39B411E8478F0E016
                                                                                                                                                                                                                                        SHA-256:9B6A7F9CD4931CC9D5186F72A9159D23F72ECF41DF5F8839B032CE16BA37EBB2
                                                                                                                                                                                                                                        SHA-512:2458D1AE4D2520FE1EC682BDEE5B6CBDE06614FB27CFE5357E35C8E2BAEA2B9A8FE7321ED9926BC3667F225010D12EC63C862CB582A874041B98963174139DEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%............."!..0..............)... ........@.. ...............................|....`..................................)..O....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ .. ...................P ......................................C..g9..xrD .l...?+ES....d2DeGs.+p..5!......F..N.......~....,.J....t;....E>.b.]4...SQ^..(...d>`..=.......D.}.[.`..&.]..&...4BSJB............v4.0.30319......`...H...#~......X...#Strings............#GUID...........#Blob......................3................................................E...............................:...'.A...i.A.....A...~.A.....A.....A.....A...e.A.....A...........E.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25760
                                                                                                                                                                                                                                        Entropy (8bit):6.240856087154136
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wBaJC9XmGP2SoxDZQe/9hyWiWFWiYA6VFHRN7I/6fR9z+A7:wwsXmJDZQIbFClv9zh7
                                                                                                                                                                                                                                        MD5:66CBA8908CCE9E4119AA1262BC47154F
                                                                                                                                                                                                                                        SHA1:20AAD849038632117C90B367F470E41845F21F34
                                                                                                                                                                                                                                        SHA-256:A9EEB0AA352B4D59A050ED8299CE9D901DEBAF83E9E5FADA36AEA1BD0194554C
                                                                                                                                                                                                                                        SHA-512:1503DCCC3BAA87B3CE87CAF17E926DCD4308B2CEDAC90E9552671F6CB41508506A12DB3BF1262B1ACAFCC8AD4C4B1A713D963A2547C0A61C241C6DDD5E947745
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..2...........P... ...`....... ....................................`..................................P..O....`..8............<...(...........O..T............................................ ............... ..H............text....0... ...2.................. ..`.rsrc...8....`.......4..............@..@.reloc...............:..............@..B.................P......H.......P ......................HO......................................BSJB............v4.0.30319......l.......#~......0...#Strings.... ,......#US.$,......#GUID...4,......#Blob............T.........3....................................<.....[...............:.................A...........o...........!...........R.....Z.....w............................... ...........#...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.777665372573317
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:D9teWZPxxe3sW6r2WnpWjA6Kr4PFHnhWgN7aIWe8/KIjwX01k9z3A8Pl4:5EWzA3sW6r2WnYA6VFHRN7dbHR9z794
                                                                                                                                                                                                                                        MD5:C46E8A594D74758F7B3687CAF3926A27
                                                                                                                                                                                                                                        SHA1:ADE52D2084F59DF1C8AF87838B6FB28CDB2FEC28
                                                                                                                                                                                                                                        SHA-256:8AC0FFAABC3F3265B4CB9FA0A301D11B51A46DC912111CBC28ABFA2F2586B9CD
                                                                                                                                                                                                                                        SHA-512:D76A401A8A20F3345102DA20770ED598F9FA0DB60175D6483BD15CE4109777EDB95F28BA90EEBABDA960D47D3ECFCC39AA7012F75D32ABB0896B23DD08060C8C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y............."!..0..............+... ........@.. ..............................64....`..................................+..W....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .........................................i...K.5..p.J..[..SfM......r2...d.....0nO?Y...Mc..y.xHRK..}%..7*.W.f&..M...qYa...e...qtD;J%. .F.......6....{qQ...qcnu_...XBSJB............v4.0.30319......`.......#~......H...#Strings....8.......#GUID...H.......#Blob......................3......................................Z.........9.........................,.....{.........F...........5.............................#.....p.........................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.762856659311949
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:NR1bwxx+YW2rmWcpWjA6Kr4PFHnhWgN7a8WW9aqcnCjVi6KrIX01k9z3ALxLwf:NaoYW2rmWcYA6VFHRN7j5w49R9zax0f
                                                                                                                                                                                                                                        MD5:8F3DF1C8A4747BE297926B0E6947A230
                                                                                                                                                                                                                                        SHA1:836967D203FAE86256A5E61C9086DBE4F5D6E35A
                                                                                                                                                                                                                                        SHA-256:F2B8865DCE56FF9064E31939066AEA954F5765C4AE82C852EAE28686DBF9A65F
                                                                                                                                                                                                                                        SHA-512:D4850721E5FA9709B0FA7AF685164DDDD9CD4B3EE8290CA02643C20F4D1B16EAC8E597736D1B02CC4F1DE5753E661EDA8D7D86B47D3850483D8C3617922C2A41
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<............."!..0.............n+... ........@.. ...............................u....`..................................+..W....@...................(...`......`*..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P+......H........ ......................P ...............................................a...[;.;8......%x.3X.tH.....d..M'.".?....w.M...............-*.:.MV.r.)oxh..EJ...1.59O.....n.(.$....N..z.R..$.?6L.vuBSJB............v4.0.30319......`...t...#~..........#Strings............#GUID...........#Blob......................3............................................................o...................4.................;...8.;...].;.....;...F.;.....;... .;.....;.....;.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):380592
                                                                                                                                                                                                                                        Entropy (8bit):6.735675584761259
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:FkrYIYOg3BqTtasHnkWg62wafPoSVsybyCrEVYE9J01Tp1:6G3BkBkwoPACrEVtQJ
                                                                                                                                                                                                                                        MD5:FE19AB7B45430314F9B9406779A5F383
                                                                                                                                                                                                                                        SHA1:2733B7326CC7C5587BE27C93F936590E642D13DE
                                                                                                                                                                                                                                        SHA-256:FD2953B1294DD406194DC06383643C1ECE065852EFC70977E363C5D811A52475
                                                                                                                                                                                                                                        SHA-512:5E72487FA8F4398BC40D6B120578E7A05C47C8E351DFB7845E7BADB7313B903BAB98DDDFF60F9BFBC12E203BCEC5AE8A4085EB16F79BAFC98929EBCF50BA64D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....s..........." ................................................................;.....`...@......@............... ......................................`....+.......(.......... )..T...............................................................H............text............................... ..`.data....}...0...~..................@....reloc..............................@..B............................................0...........................X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .C.l.a.s.s.e.s. .t.h.a.t. .a.l.l.o.w. .y.o.u. .t.o. .d.e.c.o.u.p.l.e. .c.o.d.e. .l.o.g.g.i.n.g. .r.i.c.h. .(.u.n.s.e.r.i.a.l.i.z.a.b.l.e.). .d.i.a.g.n.o.s.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35488
                                                                                                                                                                                                                                        Entropy (8bit):6.4777955962711955
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:fWd6V9WHoyr50a+3ZgW1n6lsLiKqFCM1nTrmCwCBZ0oMaPeYA6VFHRN7gR9zpA:DCEpgW9LiKqFCM1n2CwWZZkFClc9z+
                                                                                                                                                                                                                                        MD5:51338B3400E2014F4B2EBB188760F8F8
                                                                                                                                                                                                                                        SHA1:C1EFC054DFA51D6498F2A6C3F44168D98BA5BC58
                                                                                                                                                                                                                                        SHA-256:E8DDBB1ED8BE1094412B0621268EE218A1BDE5DD4CBDD22FB947D1620F58872E
                                                                                                                                                                                                                                        SHA-512:4F4C20A2D7A65C09219F45C8CAAA98BDE04AB71CD30DA8943F87293F9D3C38662DFB3769CE30A264740EC22BF9B33E1148D9B88E72DE55B887F32B0B94F553A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{*..........." .....X................................................................`...@......@............... ..................................t...8........b...(......T.......T...........................................................x...H............text....W.......X.................. ..`.data........p.......Z..............@....reloc..T............`..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):290464
                                                                                                                                                                                                                                        Entropy (8bit):6.685216167852544
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:I57mVQTeyklUtrYxgjucNxs9b3NX1PkxAqRS7s03JFRlM:I5iVQTrklUSGjucNjmi03JFRlM
                                                                                                                                                                                                                                        MD5:DC2D85A8707588E1040BF052978CA3CC
                                                                                                                                                                                                                                        SHA1:CC19AF78C206F42CCCEE192BEE5ED854B5601869
                                                                                                                                                                                                                                        SHA-256:423E9CB7C654E1275AF06574E0ECCF600ADD68D35F7A9535DE7C29586A72B977
                                                                                                                                                                                                                                        SHA-512:EBA9BA51D5CD0CD89B3A4B1A1068A2F6DE1C5307FA6559CCA40B918A666D2A4C5DC592BAD2992C8D1035575F76C0FC3F74BD086600A33ACBCBEDE238E840AA16
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........P...............................................p............`...@......@............... ..................................D....m...!...F...(...`......0&..T...........................................................H...H............text...z........................... ..`.data....H.......J..................@....reloc.......`.......@..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):36512
                                                                                                                                                                                                                                        Entropy (8bit):6.53012806262516
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:H9jY/q6ejoniqkwx38n9Is/C4STsssssssssiFClkmoQ9zpI:HhY/q6ejoniqjx38n9Ij4SFikmVzpI
                                                                                                                                                                                                                                        MD5:4638B0B06EC5F853D3106C3E793ECE1B
                                                                                                                                                                                                                                        SHA1:D84B90F77DF24BE65B2692B5A6E68B4A934A6CB3
                                                                                                                                                                                                                                        SHA-256:9D25EBA962800F6D7690E51E8BCAFE421FE356B3E295D1EC68DDA7924C079423
                                                                                                                                                                                                                                        SHA-512:8C47A0B2DCCCF797CA00467398DA2645CE99B4B08487BC5100A5B7F875CC737392AE2DD69A57C2532A7AA25AF12B7881F9DEE211AA96EA2520D2D49568905496
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....Z..........................................................M.....`...@......@............... ...............................................f...(..............T...............................................................H............text....X.......Z.................. ..`.data...~....p.......\..............@....reloc...............d..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...S.t.a.c.k.T.r.a.c.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60576
                                                                                                                                                                                                                                        Entropy (8bit):6.5394690812701635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:tqvGQZQFio5Dp/YLOzpngBsUb+CSNI8QUQXECID5FH0yFeO+FClJW29zh:tPFT5DpQizNpI8GvIJitiYCzh
                                                                                                                                                                                                                                        MD5:AA215480CCC3324B83FB2ADD6E4856BF
                                                                                                                                                                                                                                        SHA1:774277C64E0CDAF14424081D548B2D3F2B5F7A51
                                                                                                                                                                                                                                        SHA-256:900E8474DE5C8EBE1CE4FABDBE19C1145C429D89C2F2C4F7925849767FC3EF28
                                                                                                                                                                                                                                        SHA-512:537F08CEC9AB09A325D8374D776E8E682C80013BD8DE5F3B505826845607D61159FED887336716F1F53F054AFEFC092991E8D5FDB7E9547AB88945E11874A73E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................`.....`...@......@............... ..................................4....'..8........(......$.......T...........................................................8...H............text............................... ..`.data...7...........................@....reloc..$...........................@..B............................................0.......................$.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........<.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...n.+...C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...T.e.x.t.W.r.i.t.e.r.T.r.a.c.e.L.i.s.t.e.n.e.r.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...~.+...F.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                                        Entropy (8bit):6.692349952151225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:tVTAaxxe2pWQhUW0WxNzx95jmHnhWgN7aIWNxeKIjwX01k9z3A8N6Xr:3cA82pWQhUWbX6HRN723HR9z76
                                                                                                                                                                                                                                        MD5:D6FE11D82ABE3B49A423C948AFE918AA
                                                                                                                                                                                                                                        SHA1:A00BF039CA892A3802C3BC53F5886F5D6CF77DAA
                                                                                                                                                                                                                                        SHA-256:B25E831533A50791B90C1DD448703E88E36F3957BC2C9F40850A8BB051B5FCBB
                                                                                                                                                                                                                                        SHA-512:3CC0A47C684D07260D430FC61C5924DC0452A14401DDC5E9547FFEBC9DD0F92AE055FDB1C5CCCF16F9EA5513D85C9F1A8A5B2FD991995EAA1D2A0E07DDDA50ED
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....K..........."!..0..............*... ........@.. ....................................`..................................)..K....@...................(...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..L...................P .......................................`...a..*Ir.5Lk\3zQX'.5+.lt...h...6<R.....^.&l.........]KyZ....A....D.....g..0J.W.x1B.8.#LO...BaS...q..?c..pj.).../P4..G7BSJB............v4.0.30319......`.......#~..H...H...#Strings............#GUID...........#Blob......................3......................................Z.........s.........................,.....w...N.....F.....0.~...!.~.....~.....~.....~.....~.....~.....~.....~.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):133296
                                                                                                                                                                                                                                        Entropy (8bit):6.547997172170634
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:8qjAVA3Uak7lkcUpI1dsMvj2OE20esM9eVmiqRIL8OXmty6nzufWrzhK6:8BV7agh3sMaj2SM9eVmiT2ty6zSs06
                                                                                                                                                                                                                                        MD5:51D99AE932F81F3155A5F410249FA4ED
                                                                                                                                                                                                                                        SHA1:A6AE36D863E6E4A0476ED5B8756D4AFA03C6468D
                                                                                                                                                                                                                                        SHA-256:57B710D6EE5585086F4438B864B5BED4738E9F451F21479D785BDF34781C9E76
                                                                                                                                                                                                                                        SHA-512:2F147F7188CEB538125B38E427FD01E9FA957041C45C8C34ABCD9093BB6D8479B6412A13DF09CA9256D6CCD75240EF409AC3A2B5CC7E76E6157F24D044AC5F7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ......................................L@...........(..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...T.r.a.c.e.S.o.u.r.c.e.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.7213791223858825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:hG5g6pDj+y1xxdPWbcDWGWHtWxNzx95jmHnhWgN7acWZkwKUWX01k9z3A/bUfw:h2+y/3PWbcDW7HuX6HRN7YF2R9zEr
                                                                                                                                                                                                                                        MD5:BAE1EC3B6C385527836D2AB828A0BE1A
                                                                                                                                                                                                                                        SHA1:733BD04B4DF39E38F075FBE75B15AFBCAF5117EE
                                                                                                                                                                                                                                        SHA-256:B1A8899251AAE44D312C44D9FCC8467EED7F112E6812C05A1EB30D3726ABE81C
                                                                                                                                                                                                                                        SHA-512:C6C6CCC8A9680D0AF897508463F9FC15564EE51E46C34699B907359109C14390A27C56FE39542A48AA943579A893625737C43EA9BD216594FA7FE824408262D5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... ..........."!..0.............>-... ........@.. ..............................U.....`..................................,..S....@...................)...`......0,..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ -......H........ ..`...................P ....................................../.Z(...tIJ.S.v...j..9+..-.....S..Hp.Q....C...b?w...}ea!...Z.S....i.%.x.8}GaM..8tP.......D#a.Q.01.....D.A........~..t#5.......BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3................................ .....................].........................................m.....q.....D...........P...........*...............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):130208
                                                                                                                                                                                                                                        Entropy (8bit):6.376283707070365
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:z9PHfhY6c2ZPg52Hzvagb4xfHIKHnT6IdIWDkHLYlN0:hPHfDayzKHm+qYK
                                                                                                                                                                                                                                        MD5:F2B90E6B99089BF12AC1B2BC39658CF7
                                                                                                                                                                                                                                        SHA1:5CC0CBC44A27948C192B3F9E33341443DFCA28AD
                                                                                                                                                                                                                                        SHA-256:AB1B5EBF7F85E57A074F61A01B63333CB19D0DD5765645C38F6DF906556C1059
                                                                                                                                                                                                                                        SHA-512:CD07322A7098A8EDEDC1B8FF28A0B1D38A7992BA8534781975B883528DF64B9CA11EC027E5FC9535E7FD243EF487F6041920ABB46B8E9042604B123CE7A17F67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....E..........." ................................................................C.....`...@......@............... ..................................8....0...........(......,.......T...........................................................8...H............text...f........................... ..`.data...f...........................@....reloc..,...........................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21256
                                                                                                                                                                                                                                        Entropy (8bit):6.402835622696235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zgyLzP7uC8sYITet5P9KbxWxutWEcYA6VFHRN7V6mcTR9zi2eiXrkd:zgy7CCKFClcrV9zpeiXrkd
                                                                                                                                                                                                                                        MD5:0F96953D2C97BD849375D7989365F1A9
                                                                                                                                                                                                                                        SHA1:F5CC786D19947FCBBC4FB34D06D8AE2466A2EB08
                                                                                                                                                                                                                                        SHA-256:8FC1D7782F015D6803C640E4F04EEB2B18468D773630B6A0F6FCF09B298FF11B
                                                                                                                                                                                                                                        SHA-512:956E384850295A60C6D838DE285C0ACC31D974F0B451B6CDFCFAFDDE6BDB33613F17E5D30A341A18B8F14A3B5C918D8EC96EAAAF48CF8BB967CC6773F6834DC3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0.. ...........>... ...@....... ....................................`.................................}>..O....@..X............*...)...`.......=..T............................................ ............... ..H............text........ ... .................. ..`.rsrc...X....@......."..............@..@.reloc.......`.......(..............@..B.................>......H.......P ......................(=......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID.......H...#Blob............T.........3..................................................................m...........#...............d.....x...........W...................................;.....~.[.......................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V...y.V.....V. ...V.....V...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                                        Entropy (8bit):6.685942816560535
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:wGM51jjMWsXCW/YA6VFHRN7H0KGrYVXC4deR9zVjox78:Y16zFClHbGrYVXC4dC9zVjG78
                                                                                                                                                                                                                                        MD5:8CFBFA7AFD85136DA94F5832D94AC9AE
                                                                                                                                                                                                                                        SHA1:89FEF34116578257A8D700FD83BE859B3199707F
                                                                                                                                                                                                                                        SHA-256:F495B72459FBD399EAFAB35072DD2ADA3466C8B61FF09D5A4F6DC4B46F61F0B2
                                                                                                                                                                                                                                        SHA-512:948D3D1B081026F14C8EA1F21602D0B257B72ADB55B8F7ED5E4165FEB3D081C1380FC88053CED5C95ECFF68EC85ED9506330EC1B88DE44F175E20575606BA78A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............,... ........@.. ....................................`.................................\,..O....@...................)...`.......+..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........ ......................P ........................................e.,..}V...xO.Z...k_.ppb.....8 .6v.?X.......J..*z...:.d.SM....;y..%.t.9...z\z.Ea.R.C....k..]=.S|.....k.g<T..&.@.dS'.BSJB............v4.0.30319......`...P...#~..........#Strings....0.......#GUID...@.......#Blob......................3......................................>.........W...............................Y...9.r...j.r.....r.....r.....r.....r.....r...w.r.....r...........#.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):200352
                                                                                                                                                                                                                                        Entropy (8bit):6.675634999876197
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:cf15GMge2PRUqDcbSjp74Cmwqv9Rcgff3Fu:cfLxgeyRUAcbSjp74Cmw2vFu
                                                                                                                                                                                                                                        MD5:13DF3EE8621AFC18530ED425CED9CD6C
                                                                                                                                                                                                                                        SHA1:BE9C951D0C2159754BA172A680916A628F91EFB6
                                                                                                                                                                                                                                        SHA-256:5AEEE4C52011AF8A5502484C991205985DF529F9F1EE53F9D0EA9FFA53FD13AA
                                                                                                                                                                                                                                        SHA-512:C39E246CA4E4D347F92C82DFE75AF8FA1756A869A08FF97B5116C33A6D0138383D7CCE1C50B9B211E1869CDEA53DAF38BE98838B0FD48C0F956AB7971EBACC75
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...f............." .........(......................................................c.....`...@......@............... ......................................XO...........(........... ..T...............................................................H............text............................... ..`.data...1".......$..................@....reloc..............................@..B............................................0...........................H.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...j.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .c.l.a.s.s.e.s. .t.h.a.t. .c.a.n. .r.e.a.d. .a.n.d. .w.r.i.t.e. .t.h.e. .A.S.N...1. .B.E.R.,. .C.E.R.,. .a.n.d. .D.E.R. .d.a.t.a. .f.o.r.m.a.t.s...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.8006872328458625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Baq7iRqXWDRq4mRqm0Rq7WWYA6VFHRN7DzPtcTR9zi2e8P:R8qKqbqmuqdFClOV9zpeM
                                                                                                                                                                                                                                        MD5:27C42A08E6C20635141FEC62802D5B95
                                                                                                                                                                                                                                        SHA1:7AE669484842D4D65AE076DDA8B660BE9AB2282A
                                                                                                                                                                                                                                        SHA-256:9896AD79F4528FE1D08E0CB3027127980FA71F8E4F82DE8916BE526157761387
                                                                                                                                                                                                                                        SHA-512:34DBC0056467F5F8218DC0BFB0030D113ECB8F6A9CB27852DB650165BC5FBC2DDF7E88679F273DB09AD3D050799BF348A322EEC0421642C46FEAA2453B0BD9D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>............."!..0..............+... ........@.. ...............................0....`..................................+..W....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................Cx.%*..>...m.......8.e.....Wj..X ....m.wy5.7.s.].dd(!..).....Q..At.I...j*..L.7.9..4I5..l.W....7..*.....q;..M,f....... GBSJB............v4.0.30319......`.......#~......$...#Strings....0.......#GUID...@.......#Blob......................3................................................"...........;...........f.......,.................H...!.H.....H...[.H.....H.....H.....H...B.H...O.H...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                                        Entropy (8bit):6.828542855579913
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Dl8RPWYRgpRp0RjWYYA6VFHRN7htZ2R9zEZt:D4NApu7FClDZK9z6t
                                                                                                                                                                                                                                        MD5:E5A6FAA55C56E33AA488D92E489598DD
                                                                                                                                                                                                                                        SHA1:B100EA405A6AA4C5373B6D812F66CC8F53B38B06
                                                                                                                                                                                                                                        SHA-256:D32ACB153BFB96C7BF36049CFA1FCBD89E27EFB53100C8C41D476ACF7D9F17AD
                                                                                                                                                                                                                                        SHA-512:621F24A2695D341BC48746099E41EDBC4143F6F810752551DE85C16F3155484050563751C2F1E55D876C138366B1AFF7A196117D845E6383CF60CF2B5B8777B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ...............................t....`.................................h)..S....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................o..(........>..h.'.......X.B.qy.m.h..u...}.......E..5..p"G._ .wP3L.P.B.*f..1.;.ef.(A9u...........*`h<3.....%..my..f.L....=.BSJB............v4.0.30319......`.......#~..@.......#Strings....$.......#GUID...4.......#Blob......................3..................................................P.....P...3.=...p.....^.....a.......%.....%...w.%.....%.....%...w.%.....%.....%...G.%...I.P.................7.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.72406198525283
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3mQ1AcRLWdRMERA0RHWzYA6VFHRN7FHR9z7t:3mQ1n0xAuMFCl/9zh
                                                                                                                                                                                                                                        MD5:05B81283F6495E06FF0AB4943B2343AE
                                                                                                                                                                                                                                        SHA1:E10D7BF018AE90BA1E53B86CBC808F9CF642C68C
                                                                                                                                                                                                                                        SHA-256:5CD5D885529923A1E4E9680E0C02EC504CF5C9B2375337427B57B20F731CE55D
                                                                                                                                                                                                                                        SHA-512:DB50326EC32CC9FBD3262CE8C004611CDBDCC03D54053FFF0DF0D7B165C13D45F1EFC89749040AA4E01AC4DDE503C26870ADE3D9D1322316849856693245E354
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..............+... ........@.. ...............................'....`..................................*..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P ......................................."./k....!'e..%..7?.:......-g..nL...^c.b...od%Q...3.L.2N.k...o...mi.....IQ.^.P.4+.n..X.f.C..&..ee3.....f~...;..,..)..Q.QBSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................).........3.K.....K...L.....k.....w.......B.....,.....,.....^...2.^.....^...l.^.....^.....^.....^...S.^...`.^.....K...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72864
                                                                                                                                                                                                                                        Entropy (8bit):6.524372551005852
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:OtCcjcm7Q5dSOyXb23QCQrEp8J0Bi1yz3:Opcm85zyXb236roBeyj
                                                                                                                                                                                                                                        MD5:EC5EE4618509CD0B01447CCF1960DBE8
                                                                                                                                                                                                                                        SHA1:6D84D712271CB213334E1F0ACFE67BE20D41DB09
                                                                                                                                                                                                                                        SHA-256:F90FD1D4986B7ACA57D92A8F069BB4D52CDC9862333099B0403FBA661D6CEFB2
                                                                                                                                                                                                                                        SHA-512:C2A710E0A293BA990FDB7B1139A7B15976D93C4E12B1A14A3C24DC986B136E3AAB2D316F0846EE0FC9E67E7E57C446E7A58152B099797EB3AB9A92E13DFFEBC0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....ha..........." ......................................................... ............`...@......@............... ..................................P...D)...........(......l.......T...........................................................P...H............text...D........................... ..`.data...............................@....reloc..l...........................@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.721333411401923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OP/3aWu7mW9YA6VFHRN7iYahJpR9zrjNl:OPvOFFCliYa7D9z3r
                                                                                                                                                                                                                                        MD5:6ED07B09003387E0A22CC8E4B7AF99FA
                                                                                                                                                                                                                                        SHA1:22797A9B68088050FCE4C5E11CC05C3EB94F4FA1
                                                                                                                                                                                                                                        SHA-256:0F5559C78DA1B4C5F851DE563E6B7C3411B20E0BC3427940FBCE71F647C7535B
                                                                                                                                                                                                                                        SHA-512:FE9F046FDE19ACF26E16C113FFD20A90B029CF9DF1C4BBEFE45766843AFB61ED8D6BA405DED837510D4D5F9902A10B0D96F8455D41E58CAB7A2614E3A11095CB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`>............" ..0..............*... ...@....... ....................................`.................................9*..O....@...................)...`......@)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................m*......H.......P ..p....................(......................................BSJB............v4.0.30319......l.......#~..t... ...#Strings............#US.........#GUID...........#Blob............T.........3....................................................I...........k...................[...+.....7...................................i...........x...........Q.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):826016
                                                                                                                                                                                                                                        Entropy (8bit):6.111858963772501
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3JhYe83Gfyv7vrkasX8LZ6dA9NWYIAHhlyR8ZXTw05nmZfR83i:PYXv7vr5dx9IAniAmZfRYi
                                                                                                                                                                                                                                        MD5:05ADF6BF8E468B7A9D46E7748FDDAA8A
                                                                                                                                                                                                                                        SHA1:BB527A0E7ADB5BEF8DE1653F4A70B7F78247F792
                                                                                                                                                                                                                                        SHA-256:DBD97753727725C061E6F7258355D54E119098E973A064B8A983273B3B99F787
                                                                                                                                                                                                                                        SHA-512:B2EEA485C1684BC57F8E0E774B8C351C0B6A47C7DC65152BCD31E390B5EA58EC37B8F6CC70C3771F5AAEE6712F24586ACF746E38A5A3D0A0F184C6B7ACDA1A83
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*.ORn.!.n.!.n.!.g...b.!... .m.!.n. ./.!.<.$.q.!.<.%.d.!.<.".f.!...).@.!...!.o.!.....o.!...#.o.!.Richn.!.........PE..d...-.lf.........." ......................................................................`A.........................................V..<...<Y..x.......h....p.......r...(...........&..p...........................0'..8............................................text............................... ..`.rdata..._.......`..................@..@.data...,....`.......H..............@....pdata.......p.......L..............@..@_RDATA...............j..............@..@.rsrc...h............l..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):39584
                                                                                                                                                                                                                                        Entropy (8bit):6.504746734753008
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hWPVIWfgE7XgHg1al2Yd5zDN2147XCIYUvsWIXpuJFH9CEUoGdqtHfSZGU05pu+V:4pwHf41MCUUjgsEUtcRpX5FClUmoQ9zi
                                                                                                                                                                                                                                        MD5:9C86F8E718CBC4CC1E17C865FD81EF29
                                                                                                                                                                                                                                        SHA1:266AD1DF8B2FC2DC483B44C108665420881FB240
                                                                                                                                                                                                                                        SHA-256:B906BA0E3641B75502DD60C4DE71F0CCBF13410E98C6AECF16ED93F6A4285CE3
                                                                                                                                                                                                                                        SHA-512:FA9B0CFC2CC9D04624769E0B5BFA2F6CBFC9C6518F41EA3FA589ABF492A65C6E412953E98B07C0ACF3A697B80F876C90A86B11EEF754F6FC77B2901DE209AE3C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<4............" .....d...........................................................[....`...@......@............... ..................................P.......4....r...(..............T...........................................................P...H............text....b.......d.................. ..`.data...e............f..............@....reloc...............p..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):267016
                                                                                                                                                                                                                                        Entropy (8bit):6.6826444234875275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:uFkvaNssc18qR3na42neTHhI8HERQu4cI+NWlNRB1xqkUbwn+3GEF7plloN/VhKs:JF/5IeDhInRZWlbB1JI5XllOQuMKHP
                                                                                                                                                                                                                                        MD5:299CE3A886D186D6C6EE21EAD9F9F2F4
                                                                                                                                                                                                                                        SHA1:2C4819070B5B418C78E311DA99352C8ECBA1A580
                                                                                                                                                                                                                                        SHA-256:168DDAB678DE2E1B859B9CD38FBCA6148A3A0DC5DC3590A8D32DFCD94DD67B71
                                                                                                                                                                                                                                        SHA-512:E041719E949FA12E9653F566FAE6446E868CA53E1761F707469D419CDEBE32271251C476A954240A4A805F55E26CEBCCD222D7021C75C1643FFF9A1C3B06C14C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...B%............" .........>...........................................................`...@......@............... .................................. ....k..H........)......0....'..T........................................................... ...H............text...9........................... ..`.data....7.......8..................@....reloc..0...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93872
                                                                                                                                                                                                                                        Entropy (8bit):6.567261761569019
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:G2BXrcUty70kPhIYeXxs6+gvXYqFBtgvaNB1WXzhZ:G2BXrPwFI1o8NCi14P
                                                                                                                                                                                                                                        MD5:5D63BAFA51DACFBBFB72E18694CA9F6A
                                                                                                                                                                                                                                        SHA1:8B7E54FDDFED77D00A30F9E163BED9CA69D53CDD
                                                                                                                                                                                                                                        SHA-256:6133769F582546A29300BD4988B3CEF06F3C1A83E8F52C2A30C62EC358011EDE
                                                                                                                                                                                                                                        SHA-512:380CCD0BDFDA10F07D5121314208B8924716FCBD1A6C60DF5C536A4C0C70904C653BAFA3B58D1BC05C9B16FFA7FD30A9BEE8460E8DE0852FBFEA86558E645E7E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....C ..........." .....(...................................................p......X.....`...@......@............... ..................................t...T/.......F...(...`......H...T...........................................................x...H............text...w&.......(.................. ..`.data........@.......*..............@....reloc.......`.......B..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42672
                                                                                                                                                                                                                                        Entropy (8bit):6.438920622890288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hWUHyWx5DVCHWl2Yd5zwNiCXKTmRIYfZKG46JdicX+zu6CVy1/8K/Y5ews+dLFSn:RNf/b36JwcXKLkK/Y71KWQkts89zg
                                                                                                                                                                                                                                        MD5:21B0D8D7603F786BA5FD1396304BE0FA
                                                                                                                                                                                                                                        SHA1:A63565EC1C9979A827960DB4CCD80B62F9EF3F8A
                                                                                                                                                                                                                                        SHA-256:F90B203B1133A025ADCDBB07966C6B6AB78DE1505A9AE582A56481D1EE873F9B
                                                                                                                                                                                                                                        SHA-512:9BB4615E370F449CAB01E8D5DA5A0AED806C3E7083AABF3C014E41ADDBC24A46730174E3EB9A8EAD0BC858B1A9295AFC9FBCB45471269AD9291F21941DB9CC63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....p..........................................................8.....`...@......@............... ..................................\............~...(..............T...........................................................`...H............text....n.......p.................. ..`.data...s............r..............@....reloc...............|..............@..B............................................0.......................L.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........d.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...@.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.830284593719402
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ahYMx9YW/fqW6WKWxNzx95jmHnhWgN7acW4gYCx6RMySX01k9z3AHVKJ8RUJa9J7:an9YW/fqW/ZX6HRN7Hg8MR9zGVKr6V
                                                                                                                                                                                                                                        MD5:BD3CCEA3CAEA8234E219850EE8FD1B56
                                                                                                                                                                                                                                        SHA1:F4A17588CD90E475A521CCA5DAB7374FAB3250A9
                                                                                                                                                                                                                                        SHA-256:C86D4E039FD6BF65D1FA0783193A9ABE30E66C347A43C6163B881D46F3D87EFE
                                                                                                                                                                                                                                        SHA-512:71D87E0774C058CBEA08AB309288B596BD4597F68E9B521A0556E8EB8236BF02B2D17CD31E09033744653AE0D38F9F5A2805D0855528C2A51590BE91143DF1A0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ...................................`.................................`)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................V(.$.G.r..!}E2Us.x..o....F....I...J.yU..2..........2.S.d.|..+Vp&..\..y_.n.KQh.a.E..`.....ep..G.2Z.4.s3.._.z...j.vC#...BSJB............v4.0.30319......`.......#~..L.......#Strings............#GUID...,.......#Blob......................3................................................!.J.....J..._.7...j.......................E...........Z.......................A.....s.....u.J.................1.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72368
                                                                                                                                                                                                                                        Entropy (8bit):6.5347936763696195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:fHuxn2SjgTCcxduILBZIds7lgndSI0bWBYWMzlm5:fOx2Rld9lZz7lukI0baYvZ6
                                                                                                                                                                                                                                        MD5:160C8055B1230CECDB195BD6057BF3D6
                                                                                                                                                                                                                                        SHA1:1BE7BB10FD675CE1D979CC43386EB478BC677E5C
                                                                                                                                                                                                                                        SHA-256:B2D5F23950B2CFE9056624E6A1E6CB78FEDD1775F8E490B6F6D597FE6B9453BE
                                                                                                                                                                                                                                        SHA-512:9E606F7EB6B4A4AF5194ACD3443B23E2A178383826B49F16D544DDDD2E1BA5C3374DD0E6E6B765EBDC8EBFF47B2BB5580968532C4F29F2F4A4F0CBB6CA67D3F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...K............." ......................................................... ............`...@......@............... ..................................P...d(...........(......p.......T...........................................................P...H............text............................... ..`.data...............................@....reloc..p...........................@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24344
                                                                                                                                                                                                                                        Entropy (8bit):6.355803501821008
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:D5aPWc+mFnJ85Zu+m2sqjd5z5nNkcf2LthQWy72WQX6HRN7D02R9zEeMG:4P7Fn8dPfVqAY6IWwK9zXt
                                                                                                                                                                                                                                        MD5:1E9BC95C5CE564B1FFA33FB4BAA3C82B
                                                                                                                                                                                                                                        SHA1:CF9F928BEF3268F27E88A50BDF468D6488C6A936
                                                                                                                                                                                                                                        SHA-256:008BF6401C475B5E85C15D0756F6E377EE2BCD742DB2667D7A502C9EEFFDD721
                                                                                                                                                                                                                                        SHA-512:4DE834DD2107D4A1411596056C71FD4E2022FE26FA379E70A0F78374D0C7DBAEF34F292493716029755126B567CCED04539277E71C17A29E92D0EC5ADB8630E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..,..........NJ... ........@.. ....................................`..................................I..S....`...............6...)..........LI..8............................................ ............... ..H............text...T*... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................0J......H.......h?..............P .......>.....................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....9.......PADPADP..7../...........S.t...p..T...3.2...0.J.M.*.=.0....bAA. .e......"....N..~..s...@].Sew.s.t.7.4...5.......x..........]..Q~........#n..'.<.+2]./...0...2.W.4...4>..5q..:...>(.3OL"PP^..V~..VV..eRaDf.3.f7..f..fj.Hpj.1.j..&u

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):83616
                                                                                                                                                                                                                                        Entropy (8bit):6.495444697679031
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:BzPryEnJOCVHF9BR5sWApdNeK+M33e6Z3IVi+i8zQ+:BDnJOCVBR5sWApdNe433e6u4+zk+
                                                                                                                                                                                                                                        MD5:D7676E8A49066209E0FA8CA44E8B9407
                                                                                                                                                                                                                                        SHA1:D8595DB79E999D334216A785E07FB33940CEEE79
                                                                                                                                                                                                                                        SHA-256:A8E4E2CDFC6FAA5BA11945BD6212B81C9603D8EAE8C7BFC7C2722EFA2B58513F
                                                                                                                                                                                                                                        SHA-512:28549BC603E12A4F05A59B873A7E319E3A36E4E55436EDB6C117E21CAD0FC11F772B22BF399463BB8CABB9FC9A085FC924548455BBFDECC89EF034F07E70147A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....MX..........." .........................................................P............`...@......@............... ..................................8....,...........(...@..........T...........................................................8...H............text............................... ..`.data...}.... ......................@....reloc.......@......................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69408
                                                                                                                                                                                                                                        Entropy (8bit):6.415564775018847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Oel44fb3OrgQqy2gYSxycVFidrg0TwK9WWzjn:Oel13O2y2gYMXVAdrg0TwK9tHn
                                                                                                                                                                                                                                        MD5:B9F00468A42AEF4650D7DDDDA2B48A49
                                                                                                                                                                                                                                        SHA1:1B75047EE318C2C2596C74AAD1977CF1F17BF01F
                                                                                                                                                                                                                                        SHA-256:E9668809465731AEBE17CDAC847B1650896C65FB7934313ED075F9C331631E98
                                                                                                                                                                                                                                        SHA-512:C8F4CC2E4182EFE98B3AA25D6BBF0EA6BD9530EDE2D3F3BFC48387FF7A041A22B0C8969860B7161C92B88EBCE30BDF3B6F47EB5B675464E0C9C08847ED10D980
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....NP..........." ................................................................$.....`...@......@............... ..................................D...@%.......... )..............T...........................................................H...H............text............................... ..`.data...h...........................@....reloc..............................@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                                        Entropy (8bit):6.8039485559108055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sQ3WehWqW+oPWgYA6VFHRN7PVXC4deR9zVjoxpK:93WSgfFClPVXC4dC9zVjGY
                                                                                                                                                                                                                                        MD5:7C4C0AB06F827D12B5BB0609E34B881D
                                                                                                                                                                                                                                        SHA1:EDB76E9DF5E177D260AD8E5739375E00CD16C412
                                                                                                                                                                                                                                        SHA-256:058C76CDC0BE8AB0F583ACE5651F1CE1EE7D3D1178DBE2D03829A7D52723A2FF
                                                                                                                                                                                                                                        SHA-512:05AF881F2603C59539802A2CE86D6204BDE877860F3FADF302FCD60B96EC87026FE8379830BBBED7A7E7B8226BB8427B7101A6F49E509A1FB383FD8B54DC3168
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............."!..0..............-... ........@.. ....................................`.................................4-..W....@..T................)...`......p,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B................p-......H........"..............P ......h"...........................................<linker>.. <assembly fullname="System.IO.Pipes.AccessControl" feature="System.Resources.UseSystemResourceKeys" featurevalue="true">.. System.Resources.UseSystemResourceKeys removes resource strings and instead uses the resource key as the exception message -->.. <resource name="FxResources.System.IO.Pipes.AccessControl.SR.resources" action="remove" />.. <type fullname="System.SR">..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):136352
                                                                                                                                                                                                                                        Entropy (8bit):6.501718336587814
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:igZr1fdLwfRDI76D+/PeCMk0eZeBClJk87+xL8a:fKM++/2U0EaxLx
                                                                                                                                                                                                                                        MD5:8C160837F5ABB45FC6D74EB314DC4E33
                                                                                                                                                                                                                                        SHA1:CEF2A93F9E2C12F6AAEE0E43923C9B3D9D701D23
                                                                                                                                                                                                                                        SHA-256:5C402A50C62ADF3BB0538F520CA2E8D56788B877020EA11A22B5A48072DF95A5
                                                                                                                                                                                                                                        SHA-512:CCB662F219CA181FE2C78286BF9F41121B8D89CBA4E632787C1E9F302D961D044127007DE0C503896C8EC9DCA7B9E4B85A8A56CF81D44CFCDAD122391200BDAA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...~.1..........." .........(............................................... ............`...@......@............... ......................................H;...........(..............T...............................................................H............text............................... ..`.data....".......$..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.845221810436923
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cZdi0aXwMxx03Wjz+WCWxNzx95jmHnhWgN7agWWOx6RMySX01k9z3AHVKJ8RS5un:gitwa+3Wjz+WRX6HRN7nVMR9zGVK4bT
                                                                                                                                                                                                                                        MD5:755EF43FE4AAB7CAE2C2DA7CE10A750A
                                                                                                                                                                                                                                        SHA1:423B058EFFF8908589BFF756320120AED1454B3C
                                                                                                                                                                                                                                        SHA-256:4170A7DB857A937751EA07AF981B7F31A43FCAA58240456F1789B5F812AD2E58
                                                                                                                                                                                                                                        SHA-512:468124870FF78D353D174E454C0221408B882F97A9D9C2DA5C14DAB36A6E48BC8F73C229F20E7250278B6B0B3CF628EF631EF220F7498C4694C4D0BA85CC8A63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.D..........."!..0..............)... ........@.. ...............................G....`..................................)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................X}...zO........A9.>.i.(d.?U..)...$....+tw|....\....hX...r.....g.Ve.bO/....Y).p.....v)....h./...HABMc....gbb.k..g.h....+...y#BSJB............v4.0.30319......`.......#~..<.......#Strings....,.......#GUID...<.......#Blob......................3................................................,...........E...........p.......W.................^...+.^.....^...e.^.....^.....^.....^...L.^...Y.^.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.6752554941051985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ldbn83FYyW20bWMYA6VFHRN7m2HR9z7YbG:/n4srFClx9zMG
                                                                                                                                                                                                                                        MD5:410EE7A35F9C5BB29AA397824BCE39D1
                                                                                                                                                                                                                                        SHA1:75792618F9940C7BF5DC052231945FC742D9A81A
                                                                                                                                                                                                                                        SHA-256:29BDE1A93C26C8EEB0EE4972F63D1D562541CD918F1868E691587C0B362ED1DB
                                                                                                                                                                                                                                        SHA-512:6A19E98CF43AEB70A4E1A2885875203F23A9C2B797A43748B840C2B43BB1C638EEF623C054C22D292B68683C44C2AD922B1700A0C642B0DD20E5FC91D4ADEFEC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?~5..........."!..0.............~*... ........@.. ...............................#....`.................................0*..K....@..(................(...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ..........................................q.=.h...G.].l.V,8...Y.E(..C....~..G..T....rKMO.4.....^0..QFA.>..N....F..xe../^.M.......).1....P...h..)....k....BSJB............v4.0.30319......`.......#~......8...#Strings....,.......#GUID...<.......#Blob......................3............................................................=.....).....h.....k...........#...........8.............................Q.....S.........................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3857072
                                                                                                                                                                                                                                        Entropy (8bit):6.688440344738366
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:35JRCk40qWhSxCKB+GuuYKfM21hDPX7dRVLTeeYjGt553P77zbr7jrgrr+c9NHXd:JJRCUhSzBpzfl1mja52rr+uNHXU6
                                                                                                                                                                                                                                        MD5:03817413A12530268745BDCC91AAC707
                                                                                                                                                                                                                                        SHA1:351EA9C2B95D678A4CA38A650AB3D1315D4E1561
                                                                                                                                                                                                                                        SHA-256:96E479247C696952FDBCBBADE7F4883F4CC464499A403E0A5FF738D297829261
                                                                                                                                                                                                                                        SHA-512:333C29DB2E0E691531AD01BCB871B12D43FB2EE5AF78151ADE980A1D1211BE85FAB6F570BD93FD8A2146F62E5C3C46288DB13DF3D96B40193E469B9308C24BEA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...m.@..........." .....F4..j................................................:.....O);...`...@......@............... .......................................(........:..(...p:..b...w..T...............................................................H............text...(E4......F4................. ..`.data........`4......H4.............@....reloc...b...p:..d...N:.............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...E.x.p.r.e.s.s.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):849056
                                                                                                                                                                                                                                        Entropy (8bit):6.794704230215764
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:+FeeO6ALy/iA4mQ72yamRPFs7AGiFpIO+tFKQRYSHqsXeUcWDaqTM9tFe9Qvg:ZmiAlQ72yhFwAZF+tkiVcWoHFemg
                                                                                                                                                                                                                                        MD5:5ADDED89B8001FFA882A96EA03EBEC21
                                                                                                                                                                                                                                        SHA1:E5BFCAB29D9E5485DF9DC1BA057505936A33815E
                                                                                                                                                                                                                                        SHA-256:A2664E1104C16FB6DBC0603242E0AF6F0D38AC24A0EF01ECAAAF7DE65C56FCF6
                                                                                                                                                                                                                                        SHA-512:8786241DE8DB8CD0720AD5DB2AF16DC8C45A45F7C1BACE8E0617D237F1B4965AC52E5B6ED2838DD1C7A9AB98B80F5F5EEBD8DAEE3D15F549036923D383CB34AB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...G ............" .....X...r......................................................7.....`...@......@............... ..........................................8p.......(......P...H...T...............................................................H............text....V.......X.................. ..`.data....X...p...Z...Z..............@....reloc..P...........................@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...B.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...P.a.r.a.l.l.e.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...R.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):228512
                                                                                                                                                                                                                                        Entropy (8bit):6.511612190549698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:o60e3dNNnG64C2fNxE3SkRn5Hg49GqP2Y9d1:50eNjG6p4BKSiGqP2Y9r
                                                                                                                                                                                                                                        MD5:73C18427DA955DEAD09F5A4E6FAD1DA6
                                                                                                                                                                                                                                        SHA1:30B3F49B9945E775EA643B960B744CE418D9B282
                                                                                                                                                                                                                                        SHA-256:8700D3569EEF72DA62E12691FF0315C68EE52A1338E2DA0CF0B4DABE4DAEDF25
                                                                                                                                                                                                                                        SHA-512:5962B867BED237C785F15FE6344076E3FD5D87E5378DCF0EE26CD0B705819BF949089C5BEB0F3F158D6C5125B2B9073DE2B9F6B9738102A6EA4C53024F55490B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........z...............................................p......G.....`...@......@............... .......................................4.......T...(...`......h...T...............................................................H............text............................... ..`.data....n.......p..................@....reloc.......`.......J..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...Q.u.e.r.y.a.b.l.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):537760
                                                                                                                                                                                                                                        Entropy (8bit):6.825314740819405
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:mLv9rD97INzrSLW5iIEobS5lEPsypTcenKskBvYvvyejaQO02KuXlz8J1J4+PDx3:SFrZ7IA65iIET5mYIKsk8HQVUASxWzw
                                                                                                                                                                                                                                        MD5:C17BF3E01C0C6CDD92FA8F7A9C443A48
                                                                                                                                                                                                                                        SHA1:1C2C87C078F55FA89AEC4577D1E8767EFF4633EF
                                                                                                                                                                                                                                        SHA-256:393C29BB232D566B91AFE4C7D6294D54997A48D43901043A9B499D62EC3F014B
                                                                                                                                                                                                                                        SHA-512:9509A361B4FA345ECAC9CE0EF69026EDDF2054CEDCCC5C7D7100C4BE31DD02697521E665E91E05E6CCFB9D9A46BC521DCFA77F01220234B473DF5E6D133AB39E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...E............." .....`................................................... ......s.....`...@......@............... ..................................4...$...8F.......(..............T...........................................................8...H............text...._.......`.................. ..`.data.......p.......b..............@....reloc..............................@..B............................................0.......................$.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........<.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...0.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...@.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...L.i.n.q...>.....F.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):173728
                                                                                                                                                                                                                                        Entropy (8bit):6.792861918315237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sKRVN4ab6HEuCKvSwOy6fM/vfovpPh/h/tmlIYrAoS1bUgM1ud:NP+GKjtGPh/hwlUoF1I
                                                                                                                                                                                                                                        MD5:B1B563F093EE1F4C05B3D0D9DF59BC05
                                                                                                                                                                                                                                        SHA1:AF1B3BC9BEE01FBF75759F17D57AF109F7FCABDA
                                                                                                                                                                                                                                        SHA-256:25F850EBE1D79A8DE785C29DAB88CC21417501186832D70FE68293993E2F6889
                                                                                                                                                                                                                                        SHA-512:25151F701606379FCD726C3B310EB52388E82943D1418467D9B23AEC48F00B43021E0BFEEC305F88778B0DDD9BB3C00FBF9CEB6F400317EE39072001925D6BFA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....P...,.......................................................H....`...@......@............... ..................................D...d<.......~...(..............T...........................................................H...H............text....N.......P.................. ..`.data....'...`...(...R..............@....reloc...............z..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0...4.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...M.e.m.o.r.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...D.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...M.e.m.o.r.y...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):82208
                                                                                                                                                                                                                                        Entropy (8bit):6.572626025407632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Kkm1ufOCUCV+/pNDCJ0gRlK03B5YjbwtHUfsCN7s6+gzWWzW:Kkm1DCUCV+hND8K0R5YjbwBCx+uhq
                                                                                                                                                                                                                                        MD5:6A08AEF4C00719F2E1642A90887C9A74
                                                                                                                                                                                                                                        SHA1:52903122F8643AB7D922560223D2472F890C4B1E
                                                                                                                                                                                                                                        SHA-256:95B052CC609C7F779C4A2C30461A81175573F4CB1B49506C7C3B29DF260D6D46
                                                                                                                                                                                                                                        SHA-512:223FAAB78C2E8BB6807DE872E82BCB0624D09B1992D7B274E22BA96E66F67132AF0C6F090196B1EE51AEBA25A83DD8EB72EA6C9A87F115A3DFD61AB371FBB890
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....G@..........." .........&...............................................@............`...@......@............... .......................................*.......... )...0......(...T...............................................................H............text............................... ..`.data....".......$..................@....reloc.......0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....D...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .e.x.t.e.n.s.i.o.n. .m.e.t.h.o.d.s. .f.o.r. .S.y.s.t.e.m...N.e.t...H.t.t.p...H.t.t.p.C.l.i.e.n.t. .a.n.d. .S.y.s.t.e.m...N.e.t...H.t.t.p...H.t.t.p.C.o.n.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1807128
                                                                                                                                                                                                                                        Entropy (8bit):6.72398533519753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:W2yyqByNNh+gDoiXDeR57e6AnUIVWUtQ+JSy6H7BWxkUvp:WYqcNDo+DeR57e66UIVWiRa7Oh
                                                                                                                                                                                                                                        MD5:503A05E956BCEDBB5E3FF1A6DAF2EA8D
                                                                                                                                                                                                                                        SHA1:F4E123ECCE83D4CC6E69304A8FA86D32577CC903
                                                                                                                                                                                                                                        SHA-256:C528A716B9BF682A7DDC56D69A55D71CE3C73CD113814C73988E376E2FCD64C2
                                                                                                                                                                                                                                        SHA-512:86BEA623426D2E79704C801B2535A48B46F7A38C6630A6F6C5E5211E6894784ECBA504BF91504902751A062051F530B4E65CF129584C1CA36A16C7308F9B5CED
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...`............." .....^................................................................`...@......@............... ......................................\t.......j...)...`..(....u..T...............................................................H............text....].......^.................. ..`.data........p.......`..............@....reloc..(....`.......L..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):639152
                                                                                                                                                                                                                                        Entropy (8bit):6.673308999442195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:kskz/Mc4M2+yHm16kUt3p2YWjAp0FTRONXRdR9Rk3jQz9BLJq:kskH2E16KYWbIWkzjg
                                                                                                                                                                                                                                        MD5:0BD4CC6E18D3B09A80B3453BF35F36E7
                                                                                                                                                                                                                                        SHA1:7345C78FD49F71ABB6FACF5F20B65A3175459924
                                                                                                                                                                                                                                        SHA-256:EF574BE2C5237DD729950EE8817977C3160B217E27E16982AB2BDF8084DABBB6
                                                                                                                                                                                                                                        SHA-512:24C97828BF074D23124C4E34428A6E54B0E66B05EB73F4F4F28CDB1B4107716930144D3C2C2EA03190982C742989DCFE4DB2BEE65E0149E5EE519EE3E19FC759
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...q............" ......................................................................`...@......@............... ..................................,.......p;.......(...........3..T...........................................................0...H............text...>........................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........4.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):552096
                                                                                                                                                                                                                                        Entropy (8bit):6.681059761488281
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Llpsa0qYPGZVwldB8dhpm20B2APiOLlbH5GPCWZFdYHa4s:Lli7big2joWafs
                                                                                                                                                                                                                                        MD5:2DB5CD9B802280171D198A4F374B8A3D
                                                                                                                                                                                                                                        SHA1:E16E86316C521B3E37C90FA409B9E30405CC7AAD
                                                                                                                                                                                                                                        SHA-256:42E4CAF90ADE0509F673AED417AC59900170063B2FB40F456EA910DEA16ECB7D
                                                                                                                                                                                                                                        SHA-512:861222A8BBF7A286D00CC2F99553BDE3B465789179FB1371663929B2591BB4392C73E37DBBEBFBD26B37EE27E8567ED197161DEC646B39DB8BAB1299CF0A0700
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....3..........." .........................................................`...........`...@......@............... ...........................................@...D...(...P..T...82..T...............................................................H............text...p........................... ..`.data...*z.......|..................@....reloc..T....P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101144
                                                                                                                                                                                                                                        Entropy (8bit):6.587604226793615
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rh+n8sz4LAbKisUGADWjhDC3UxyBKPGPxRI/mpiAJzSvXVdWbzk:rg84DWisUZDWj5CkxyBFfIOpiJvXVd4o
                                                                                                                                                                                                                                        MD5:50522A3577CBF4009749FFE4E12C8421
                                                                                                                                                                                                                                        SHA1:D7A60C11F73D9F5E96607FC054B0A2C21492960E
                                                                                                                                                                                                                                        SHA-256:CD22271A328C2DBEAA059E01A8323FDDD00ABF7342B17973E19F56E8A18C89D9
                                                                                                                                                                                                                                        SHA-512:7F1D35078C85FF4D72491A7817BAB435E66E0E5579B21D3FDC112405CA0D4F5BF22B3FC558D7123B526A33C2FBA2D8E9037B47AC589BFE92E6A83698EB148C25
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....8...(......................................................$.....`...@......@............... ..................................8...X2..(....b...)..........X...T...........................................................8...H............text....7.......8.................. ..`.data....#...P...$...:..............@....reloc...............^..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):150688
                                                                                                                                                                                                                                        Entropy (8bit):6.572736787870477
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:L9UrQQVSd8IGazZOBzjG9LysLUYxPZLVXQ2VfxynL7D+1m4aKwN4:Kr/VwpGbzSLUY5Qna1NPT
                                                                                                                                                                                                                                        MD5:E22CE550763A5E1F7B972C9587C63109
                                                                                                                                                                                                                                        SHA1:81C44FC9CF5606B5FA01C33433448899E5B928EE
                                                                                                                                                                                                                                        SHA-256:05D32CCFFF26E886B935D25F59C175641B0E99302D54214D94C13498625C195F
                                                                                                                                                                                                                                        SHA-512:DE563EC654900EB5E8D20A368E05B9382F4FE069638B9D764D0E7FA19EEC47ED23F72DE532DE2ED44AA29738206285582169A51122B5ADB6A3FD4159B939CE28
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....,;..........." .........0...............................................P............`...@......@............... ..................................P...p;.......$...(...@..h...0...T...........................................................P...H............text............................... ..`.data...L*.......,..................@....reloc..h....@....... ..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):79008
                                                                                                                                                                                                                                        Entropy (8bit):6.583609106071422
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hd1ARHHv3bN0loUSZMg4m5DK2SvKBpK5777ZizCzX:hnWHHvr1r48DKepKtZICr
                                                                                                                                                                                                                                        MD5:DC07916645E660B316164ECE2CBB7F0A
                                                                                                                                                                                                                                        SHA1:AEC0C20BC3EF771483693302FE9E486B856DEF5D
                                                                                                                                                                                                                                        SHA-256:7E7AF8FEEC2277071F35C54A287242AB2018FC301E708F566DBFEF5CE33D62E7
                                                                                                                                                                                                                                        SHA-512:F96AB0812E712F5F104A2DF7096AEC061F7ED32B56BE4FA768F54DD97E0C1FE8F38884E4A8E9514A3E895E88B4832F9270F1AAFA9457E6098C5F1DB16AA6EFCE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....>..........." .........................................................0.......E....`...@......@............... .......................................,..D........(... ......@...T...............................................................H............text............................... ..`.data...............................@....reloc....... ......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):214296
                                                                                                                                                                                                                                        Entropy (8bit):6.693940725784127
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:c78vFw00ic76OmsmwLE3daI1h7IrHX7T1sWkN6OME/64BWm1kv2us+6M6eURojZf:IeFw0j3xbzhcB+ZfwNH6eSojCrk
                                                                                                                                                                                                                                        MD5:07A07FDE9199A72D6309494874F8A54E
                                                                                                                                                                                                                                        SHA1:89F28AF32C7E8CB5770B1AAF4DD719F537501414
                                                                                                                                                                                                                                        SHA-256:BE9DDDFB7A9D42F5161AC689A3B64D85C8E75CE74889FFC4793E95A0CE63B000
                                                                                                                                                                                                                                        SHA-512:E261EFC035F559836272B9F2131A19CB956815C99EECD85AA38A52D2352DE925E108570EA38F6DAA48F67F87921C425A3907010F5925B65908AAE09605E8A093
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....x..........." .........:...............................................@......R.....`...@......@............... .................................. ...\V..<........)...0.. ....!..T........................................................... ...H............text............................... ..`.data....3.......4..................@....reloc.. ....0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293552
                                                                                                                                                                                                                                        Entropy (8bit):6.63463896794632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:n1azi2C1DH+sio96LEpuLdXmRw6WSLrlneg/mY:jrSK6LEpuLdmRlnjV
                                                                                                                                                                                                                                        MD5:CD1D6086F5E7A6150E11795CE3C8152E
                                                                                                                                                                                                                                        SHA1:A20C6A066729879C2FFC8AF1432CFD6528E87221
                                                                                                                                                                                                                                        SHA-256:7B7DC503E0C4308ABCE79512C8D3C68390CA70CA5D2ADA8B3DFFC55044892CDB
                                                                                                                                                                                                                                        SHA-512:ACFE41CD92B68AA5DD9ED8F7D642A7796AE2685E71EC3892F369D22C027D376C9930D56D63044CF59BB5457EF5CD4EDB3F7627FD75C5480B52D0220DA88FE4A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....5..........." .........n......................................................0M....`...@......@............... .......................................w..|....R...(...p......P&..T...............................................................H............text............................... ..`.data...Re.......f..................@....reloc.......p.......J..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):349464
                                                                                                                                                                                                                                        Entropy (8bit):6.6253757788002785
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jWirRJNtPryZAMJU8AuxsPOWe5G8eopuFOOn5:jhR7tjyxIugMU5
                                                                                                                                                                                                                                        MD5:C534BA827DBE97B1D568A8F76D31F63F
                                                                                                                                                                                                                                        SHA1:95A39F1F53EB7EC5AD6CA825D4922C9F842776C6
                                                                                                                                                                                                                                        SHA-256:BEE41B3EC358C6AB828167EBE88EA7FAACF4834B3DF7432C92FB758B2FB7CD14
                                                                                                                                                                                                                                        SHA-512:BA2E587FC901B6340123A06DC924B33D9EAA4B1EF3B5EABC5738C08D116E1AC16943DA2F927029500E5EF44575289641C02F50F0FCF7166ADF9DA8F7AC5B4DE7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .........p...............................................P.......0....`...@......@............... ..........................................*...,...)...@...... ,..T...............................................................H............text..._........................... ..`.data....g.......h..................@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):685344
                                                                                                                                                                                                                                        Entropy (8bit):6.824608271687778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Mi+V+ZiHKzLkQ6kMIUMpygx3NL3dvwCvHq3L/Zg4h:MimHKz1fMOM
                                                                                                                                                                                                                                        MD5:AA0FCB794B32BBBA9813D7FEBBFD32C5
                                                                                                                                                                                                                                        SHA1:4AA0AF3D611330CB14EFC72FE803F116150820C7
                                                                                                                                                                                                                                        SHA-256:673BFFFB75840767ED7EBAB2B5DC8AD9134AE03DB4DAE13525C34AD0259FA4DE
                                                                                                                                                                                                                                        SHA-512:2628BD7D9BAB6871E1196F9B1380FC1ACD4DDE445F9EECAF7EAB7D7913EE11FCADE1BBA6741D8F7D5E939043DD36CB79112EAB70C953D579D51E34C309A0520E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....k>..........." .........................................................p............`...@......@............... ...........................................<...L.. )...`..<...(-..T...............................................................H............text.............................. ..`.data...............................@....reloc..<....`.......@..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37024
                                                                                                                                                                                                                                        Entropy (8bit):6.496750745453374
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nW+mFWAN7A98x33dWh8noYSWxRyOM9P3x8rI0vKnfrjRYFSlxgdg3a2myQJN29RV:8NKyM2y37WAD9wggLsgbjWFCl7ts89zA
                                                                                                                                                                                                                                        MD5:3301E5143564ED78720D0F03612F499A
                                                                                                                                                                                                                                        SHA1:FDC810CFC491FFF116B5F37DE1BEC78EE34598F8
                                                                                                                                                                                                                                        SHA-256:15798792F8BAAB0B1BFCBD8466C791A624A1796C6A9ABDF9F60771D6094E69B4
                                                                                                                                                                                                                                        SHA-512:E6BF1D68D3CB79ACFDE091350203B27B2D8148E3369A1A382EE727210D4A3F44818022F9244218D009B01BAA63580D12C05FCCE9F3DCD3077967A606C85D500D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....\................................................................`...@......@............... ..........................................`....h...(..........H...T...............................................................H............text...KZ.......\.................. ..`.data........p.......^..............@....reloc...............f..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...S.e.r.v.i.c.e.P.o.i.n.t...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):506528
                                                                                                                                                                                                                                        Entropy (8bit):6.740058323843262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:TZ7w8ky6SctjxnyBDtnTDiL1h10I+nzL9wRopG+t+dRk4p7C:TZ7GyJctjxyBDhizNoA+t+dRX7C
                                                                                                                                                                                                                                        MD5:BB51E0D392A7FD7D7507CD4BC14C476D
                                                                                                                                                                                                                                        SHA1:22882A4BFF03922C5D2CC202831103AC85E8E5D9
                                                                                                                                                                                                                                        SHA-256:1BFA1A6A66D84EF5966FBA95C19BCE5E9F8D5FE51939902B9730FB5897AF125C
                                                                                                                                                                                                                                        SHA-512:EC89187EF407EBBA2A3CA5E35A746919CB8446E47F698F75514B198A5AE35ACF454A0904A45463D843D1480290E372D1D3FE2B972B421DFA420EC53C02871E1F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...x............" .........~......................................................].....`...@......@............... ...................................... ....6.......(...........4..T...............................................................H............text............................... ..`.data....s...0...t..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):166560
                                                                                                                                                                                                                                        Entropy (8bit):6.646097951171125
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Joi5C2iVJp9C2Mcz7qucR2iVY3qwJhliW3EMluskR2+8bICbOc:ai5C2sJrbMczOucR2lSskf8bIRc
                                                                                                                                                                                                                                        MD5:B060AEEE1F03574C9B567E1B7F2F4741
                                                                                                                                                                                                                                        SHA1:BBD28613E265B04047406B9149524DCC0B2CEA0A
                                                                                                                                                                                                                                        SHA-256:893512032A693DBA282A2C9A7A8D95A64D8099C267B62B868755FBB50A36AA5E
                                                                                                                                                                                                                                        SHA-512:5C3922E47AC5D24EE3B5BB8409D9AA0AFCFFA40F73A434ABAFB8AE7AFE42E06EABA3A81F79684F9BEC5589CA9F2CE09D67119D2C4BBFEA2819E8194360CEC130
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....K..........." ....."...>......................................................TM....`...@......@............... ......................................$L..p....b...(......x...P...T...............................................................H............text.... .......".................. ..`.data....6...@...8...$..............@....reloc..x............\..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...B.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...R.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60704
                                                                                                                                                                                                                                        Entropy (8bit):6.534824454137025
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:jNfR5v+6SDbVXWTGEV3VulTTTTTTTTTTTTTTTTTTTTTTTTT0SWHzh:jH5KpXqGQ3VRSY9
                                                                                                                                                                                                                                        MD5:B1129490D0C33F7EA01D0366F8FEE431
                                                                                                                                                                                                                                        SHA1:B180A00E3A851C5E741D7ABAA58B1343FBAF839F
                                                                                                                                                                                                                                        SHA-256:6BA0F2C2C9FF2031956E15DFB376B19C54358CE3D3FE95BD1003EA026F908350
                                                                                                                                                                                                                                        SHA-512:980890ECF3D616629D5A9021CB6B5A3871A8E5948EF976D61EAF863C1856C933904517679E2F94E7E43E615174C8157570154A787CE1B6F7E6D26618A67E450E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....gR..........." ......................................................................`...@......@............... ......................................x".......... )..............T...............................................................H............text.............................. ..`.data...9...........................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.H.e.a.d.e.r.C.o.l.l.e.c.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31904
                                                                                                                                                                                                                                        Entropy (8bit):6.54527100441263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Q3WpNwWK3k/IKgZ3cZq2VUi6VGt1QWKlL/95a1NqOMUViKsYA6VFHRN7YBmo8R9f:QQqk/IdZx2Vd1HITUIKsFCl+moQ9zT
                                                                                                                                                                                                                                        MD5:BDD17CBF5A46DC3D656C2C730169A013
                                                                                                                                                                                                                                        SHA1:EE59429AEAC62F69EE4B13F79B2091847F5791B3
                                                                                                                                                                                                                                        SHA-256:AB719DBCC893F90B0FAC078E733707EA8B8B8457CD52D40D1CA60BCB1C0FF283
                                                                                                                                                                                                                                        SHA-512:4FBF49DD2E521C140828AABD69E90BB655E0ABC481A092966B64473D375A8B5A1E7038FF43B6E8310611D7812A6748772BCCA1AEC2DD818ED8134A6167B75F71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....sd..........." .....H................................................................`...@......@............... ..................................t............T...(...p..........T...........................................................x...H............text..._F.......H.................. ..`.data...i....`.......J..............@....reloc.......p.......R..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...@.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...P.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...N.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):76568
                                                                                                                                                                                                                                        Entropy (8bit):6.486879247180926
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:e855wMIHHZGtiwpdI3OJckDDjH49YLOXCvzlchIbIJQ4zUWdC4dezF5g:P5ynwtxpS3a5DDjY9YLNblchIMrUCIPg
                                                                                                                                                                                                                                        MD5:3EDC4F4238DD043E45438DA61B13EA20
                                                                                                                                                                                                                                        SHA1:6133535D352BC23A25D82BB91DEBB7314BF09D8D
                                                                                                                                                                                                                                        SHA-256:022911160CB8430C2BC61076EADE816B739B410A3C677775FAC1AABEC3EE6193
                                                                                                                                                                                                                                        SHA-512:908512481F730F93BC7AFC3352356B99040F0A2B34980475B7DEFE38BFA167EF62349D1CCBD8692460F63DB684413197F2EDD156DAB9E319812A2532F8ED6FE7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................0......R.....`...@......@............... ......................................8(...........)... ..........T...............................................................H............text...1........................... ..`.data...............................@....reloc....... ......................@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...R.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.S.o.c.k.e.t.s...C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...b.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):182040
                                                                                                                                                                                                                                        Entropy (8bit):6.636679003445195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:MRYGqKe6VEqtNENTFsYz0UVUUAlTXRtnNzrepROMJwRuzTYZbQLmvhYst/Oo1BVQ:cqKJrWTSRzrijqu1mvh9tH1O/LR7hgS
                                                                                                                                                                                                                                        MD5:FB943368E3D0A8DDAF7FA61BCB5D17A7
                                                                                                                                                                                                                                        SHA1:41EACE094BE1DEDB08FA33AF0532CB3C965CCB94
                                                                                                                                                                                                                                        SHA-256:0761C0DD216C673BD2C195B3B5023DEC1A1EF1CC2CF7D6C4B7ACFE6D53D138F9
                                                                                                                                                                                                                                        SHA-512:C79F295C42DB420BF3E9E3344AA3431CD7A5556008709E2B62B32D22776BD5BCF95A8B397DBCB5EEBAA65C8F29DDE6C3341751579A88DF2283308C504B26685D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....;..........." .....d...8......................................................7.....`...@......@............... .................................. ....O..`........)..........P...T........................................................... ...H............text....b.......d.................. ..`.data....3.......4...f..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18080
                                                                                                                                                                                                                                        Entropy (8bit):6.564696056239549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TV6EWw139N8HMWo9VaWVYA6VFHRN7YtQB6R9zqgSvK:TV6Er139hJFClXB29z6K
                                                                                                                                                                                                                                        MD5:C6E66B36C6BB32576CAB9AAA8BAFD3CA
                                                                                                                                                                                                                                        SHA1:E03AC51AC254F0C83177348ADB372DB7A7CC6F68
                                                                                                                                                                                                                                        SHA-256:3096786D4F35FAB8C7888739CE0685C19E90384CE2C84F0B4086F6AECD119FBF
                                                                                                                                                                                                                                        SHA-512:0CFDDABA675E81542837C54D49902346E59B2F3DFFA7654BB52DAECF5EB97CD67F13A8EA4F2BD402F49FC3D1B2356F29A2B9AF64ABB0925F1C4FC7196126CB36
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............2... ...@....... ....................................`.................................92..O....@..8................(...`......l1..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................m2......H.......P .......................0......................................BSJB............v4.0.30319......l...X...#~..........#Strings....D.......#US.H.......#GUID...X...D...#Blob............T.........3....................................6.................l...|.l.....Y...............M.......m.....m...c.m.....m.....m.....m...'.m.....m.....m...^.............n...5.l.................S.....S.....S...).S...1.S...9.S...A.S...I.S...Q.S...Y.S...a.S...i.S...q.S...y.S.....S. ...S.....S...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.687048412668527
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JrjAWaSBWvYA6VFHRN7AvxtHNsAR9z/qB:NlSFCl0ts89zM
                                                                                                                                                                                                                                        MD5:309039F112697E308D056D2158356900
                                                                                                                                                                                                                                        SHA1:189C30BF34796EEE0235E32B9BC700BEEF02F8D8
                                                                                                                                                                                                                                        SHA-256:64B6B0276153ED01CA5AB5F9025B77F0EB7B128DC70EF28772EA5F4908040982
                                                                                                                                                                                                                                        SHA-512:0E948DD2A3BF9AFA3A023EC11F9B084D8644F8992ACE329BA5C3F7272D70F98A09344E9BFEFB83581970250F558D86702FA7E55BF7DA4E80AF07C94D768772DC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0.............N*... ........@.. ..............................~.....`..................................)..W....@...................(...`......D)..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..t...................P ........................................G..Umd.)..t..W.f..$:..$.!.#k..6....[......$.....a..Y.".+..7..*.ytc.s#./..3J..u._]0.....$!D..i..:.nI......'.#.r..?. l...BSJB............v4.0.30319......`...<...#~..........#Strings............#GUID...........#Blob......................3......................................D.........]...........v...................`...8.....0.......r...\.r.....r.....r.....r.....r.....r...}.r.....r...........6.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.697117344335608
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:oYav7sTWeuNWLupWjA6Kr4PFHnhWgN7acWssrSwKUWX01k9z3A/bsJtZv:8vATWeuNWLuYA6VFHRN742R9zEAXF
                                                                                                                                                                                                                                        MD5:9018AA6B91AA5DF3C88005096ED2CD7E
                                                                                                                                                                                                                                        SHA1:368E11B37E6A8BFBA84D6E467E4778CEB1337A07
                                                                                                                                                                                                                                        SHA-256:A526F157B4A51A1AD9B466486EC1093512E089DBCE9406CE68F2A277F01D4CA4
                                                                                                                                                                                                                                        SHA-512:BAA1ADC058D33E9500AE3C5C2E7E09967203833676B39B04B489B062C603C0D269531830DBB8AB174750A061606B0C4A98E7F5AE41C1B31AE5FAE2067FF965B5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jC..........." ..0..............*... ...@....... ..............................,.....`..................................*..O....@..X................)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................<)......................................BSJB............v4.0.30319......l...|...#~......@...#Strings....(.......#US.,.......#GUID...<.......#Blob............T.........3..........................................0.........]...............................D...?.e...K.e.....e.....e...".e.....e.....e...}.e.....e...V...........e.............-...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91296
                                                                                                                                                                                                                                        Entropy (8bit):6.552192386026593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:h8ks3VsIlDmkz8gMnOQcdD1JqS4iA9mVzz:hPmVsILfD1J8neP
                                                                                                                                                                                                                                        MD5:521CF966B382E1EB5D9D01428228DAFF
                                                                                                                                                                                                                                        SHA1:EF28980F7AE17D97A3A75DD71BB7EF0C3ED27735
                                                                                                                                                                                                                                        SHA-256:73591E15ECBFA321B9F465F9456570CDE89DEE15D124151FD19757DFC8AD8467
                                                                                                                                                                                                                                        SHA-512:254181F918F52F1D1F78345D63BF25C048586342025A7667F123A15AD82C5631B1EE8665C6678C98B2D53D81486EC0ED972C893BB0F5EC071D147B98E5AE0B93
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....R..........." ..... ...................................................`.......M....`...@......@............... ..................................t....).......<...(...P..........T...........................................................x...H............text............ .................. ..`.data...H....0......."..............@....reloc.......P.......:..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...O.b.j.e.c.t.M.o.d.e.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...O.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):10637576
                                                                                                                                                                                                                                        Entropy (8bit):6.834783559373698
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:xKMweeI2ZQsU+fRIwvUVvJS63bXqPrLAU4n/0v4/PyGvjt:mC2SsU+fRI/VvJSyXiOyGvp
                                                                                                                                                                                                                                        MD5:7C5ED0C3E2AB441A064D45FA52283271
                                                                                                                                                                                                                                        SHA1:505A8AE8540487C3A13A29EB48512D07F0D3BD28
                                                                                                                                                                                                                                        SHA-256:B2F486B07E0EC96526CEDB244C6EE71F3FB41DFFE71DEE7DFB03F7D3E2731C3A
                                                                                                                                                                                                                                        SHA-512:EB2B02F4C4B1FA2F2D885CCA0B1C05D060EFBB5D14FB69828DAA29C9F0E02FA9C045AAF463F9DE180FC8B1DEFE249D52DDBDC342896EF85517946CA1C31D2E58
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..."G............" .........F...............................................P.......z....`...@......@............... ......................................d........(...).....|r......T...............................................................H............text.............................. ..`.data.............................@....reloc..|r......t..................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...C.o.r.e.L.i.b.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2077472
                                                                                                                                                                                                                                        Entropy (8bit):6.72870931628793
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:SjARoZ/R3NMBSsdt1VRDBaC3Eu4cu+SqsVDFWStODPPLn2DLDbme:CuUZFPbme
                                                                                                                                                                                                                                        MD5:3F837ADD0F62A2999E2FC22AEEF45587
                                                                                                                                                                                                                                        SHA1:74008D3205279C03EFBE6517FAF6C1FB35F3A3D7
                                                                                                                                                                                                                                        SHA-256:94338A56AE23EBA25980E2290DF1C7084F999385DE40455D6D7079E4F04A252D
                                                                                                                                                                                                                                        SHA-512:B1615F323FDA3B0BB9B31AEC5BDA50ACB6AA0758C7DDCB5F5E0611BD814DD0E9B0A02493A0EB04A8E88F35C88384E048C032D82A775E83E4593F455860BF3C2C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................., ...`...@......@............... ..................................H...._..8....... )......,!..P...p...........................................................H...H............text...!........................... ..`.data...s|.......~..................@....reloc..,!......."...h..............@..B............................................0.......................8.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........P.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...,.....0.0.0.0.0.4.b.0...j.)...C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...D.a.t.a.C.o.n.t.r.a.c.t.S.e.r.i.a.l.i.z.a.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...z.)...F.i.l.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):252576
                                                                                                                                                                                                                                        Entropy (8bit):6.802013587081938
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:yp8ZfzHkVNCVweEiMw8lDw3ccZejsMMNt:yY7EVNveRqlDQccQjsRNt
                                                                                                                                                                                                                                        MD5:1F2700BAD871C050F72716C0CAFF7458
                                                                                                                                                                                                                                        SHA1:B2998EA702ADF8EE08494E33D89EE03816BB74E7
                                                                                                                                                                                                                                        SHA-256:9DEDF16199CD1080BB1E13698DC8CE32F2812C793B08454BC90B73A9035E4943
                                                                                                                                                                                                                                        SHA-512:99C9BC15B2CA677A5A6C963C81AF4B20E6D2128C0A117C3D6D23C6FBBB0A2616704682A61AEF7F9C5CE350114DC9669F993495D0F940B2115025D63318DD72C6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...$a7..........." .........&......................................................2.....`...@......@............... ..................................8....V...........(..............T...........................................................8...H............text...S........................... ..`.data.... ......."..................@....reloc..............................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):405272
                                                                                                                                                                                                                                        Entropy (8bit):6.713111186922785
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:03P9cNr3NWeN35BpICdwtH/lKPmSZpcHMp3/:03uNr9WG1itH/G1ZpcHe
                                                                                                                                                                                                                                        MD5:1EBEFB503EB38EF1D4A87FE02DC730AA
                                                                                                                                                                                                                                        SHA1:CA95A54B131CD0E6F8CD0606068C1902F5631B6F
                                                                                                                                                                                                                                        SHA-256:0B015273A1AC4FE3C25A248E91ABD4D10C76D70242C1DCAE45EA2BD9402B46D1
                                                                                                                                                                                                                                        SHA-512:DC311F78C2E91C22B9921E6B11D6B2CCDB285E22ADC8A35071BFF4C6461C218A0C6F151256A88359DE0C1DD8D142FA6FF6174D5CE8E7B0A93634EE90F48F71C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...5.N..........." .........j...............................................0.......[....`...@......@............... ......................................L....0.......)... ......0+..T...............................................................H............text...B........................... ..`.data...O`.......b..................@....reloc....... ......................@..B............................................0...........................`.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...X.m.l...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8505608
                                                                                                                                                                                                                                        Entropy (8bit):6.821394087878173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:04wrkcWo4NZeOfTZy0TaFqZlHX/UEewQbFo:RcGNZ1fTZFYQPjenb+
                                                                                                                                                                                                                                        MD5:43EC26D02606E233E8B10785D7B8B40C
                                                                                                                                                                                                                                        SHA1:478404CC0542C7B7DB249B9913CD1094D0A072D7
                                                                                                                                                                                                                                        SHA-256:11911797EA424D8103033A2D1D3D7352D92A7ADBF7297F91BDAD1D7918CDA122
                                                                                                                                                                                                                                        SHA-512:4859DBDD96AB539BB0929B3829110FABCF4D5DBEFA22729671E488258992CFA91B5BCF4BFCF1D3EA00CA78C4A19FEA7924F4862A3EFDA392FFD80B4033AA81E8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....u............" ......|..........................................................a....`...@......@............... ..................................8...<...8R.......)...`..X_......T...........................................................8...H............text.....|.......|................. ..`.data...8"...0|..$....|.............@....reloc..X_...`...`...@..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):66208
                                                                                                                                                                                                                                        Entropy (8bit):6.5748535239611074
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:zlGq66P0kymbnA0be+s8cu5BimUxbIuKmCinzk:zlx6URymbAiy8Bimx9mCIo
                                                                                                                                                                                                                                        MD5:9795FA4479E874973EBC95DB710F5AE7
                                                                                                                                                                                                                                        SHA1:710B8C7503ABC1DEEB1ABFEAD100043EA8E84CC1
                                                                                                                                                                                                                                        SHA-256:F20CADA99D1CCEE74B82670E3987372EADBC3DA3F87BA5AFD4203262E79463C9
                                                                                                                                                                                                                                        SHA-512:9D55902EB4E3C91BEC6264BA6B8BAECCF27D04136CFE6A2854A1AC9B4795F418D22FB8C2B120709AFE3610FF67C6328EEBE80A288F1CE127BDB8C840056575FD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....:-..........." ......................................................................`...@......@............... .......................................%...........(......0.......T...............................................................H............text............................... ..`.data...............................@....reloc..0...........................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...D.i.s.p.a.t.c.h.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.718453492542051
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:umLIkWVhUW3YA6VFHRN7TV/6fR9z+Arlutl+P:RL6JFCli9zhrlutlU
                                                                                                                                                                                                                                        MD5:33BB83C0329A3AA6508C3107B69BCB3F
                                                                                                                                                                                                                                        SHA1:CCF12D70AD543047A3B1B5C4AD6B9E9D146E3E93
                                                                                                                                                                                                                                        SHA-256:946DC1A1F9C330FC997ACD483DBAE7526850E36DBDB7BDCEC9AB641EC88F6177
                                                                                                                                                                                                                                        SHA-512:9ACCEBFB3E264AF66739D80966C49283DB1312ABA6E322C928F34FD946A304E18BEEDC94BD1D1222DAED8E82643C7E253CDF495FC5F835D1D5AAE8D78B6A0F0C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L............"!..0.............n*... ........@.. ....................................`..................................*..S....@...................(...`......P)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ......................................{B.+k.Z.....6A+7{&....[.u.o^c....@.`.2..Z.....-u.Y....^?..I...e}..[J..........{.TQ.m.......`.N1.x.4..PI\..Y2\G.S......H.jBSJB............v4.0.30319......`.......#~..t...D...#Strings............#GUID...........#Blob......................3................................................"...........;...........f.......7.................b...!.b.....b...[.b.....b.....b.....b...B.b...O.b...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16152
                                                                                                                                                                                                                                        Entropy (8bit):6.716289561025598
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pBAHj3OWxuVJWcX6HRN7L8h9R9zmwjSiD:+UZW4J9zLjSiD
                                                                                                                                                                                                                                        MD5:3BD0D0B84763138671CFDAAF0E86F9AF
                                                                                                                                                                                                                                        SHA1:40464810F0AA8A41FC29726B67D10C5A88566449
                                                                                                                                                                                                                                        SHA-256:287456D6B98567E5B329B69E533EC9B1D41AD9B5572913261A20004CECD8C594
                                                                                                                                                                                                                                        SHA-512:B7D55DCF369A632670023D92B4E07A931B1B0D5F341D7DD4300D8C3791C994ECE146B64DB442B4C72E1E418D281B92315BB386AF9C23CF145B653189E35C55B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ..............................6.....`..................................)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................Q..._R...6%......l.f......l.......=..E...v.x."...HtD..@t.l%....$&.R......K.U+...sK>.0....qI.....>.y...p..woxT.m...."B..BSJB............v4.0.30319......`.......#~..H.......#Strings....P.......#GUID...`.......#Blob......................3................................................2...........K.m.........v.......@.................G...1.G.....G...k.G.....G.....G.....G...R.G..._.G.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.7217086921406155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:dlxqu8LLLW6MCRW/3YA6VFHRN7Sq//Bmo8R9zMLgod:Mua2FClVRmoQ9zU
                                                                                                                                                                                                                                        MD5:E148929B3AB3CA72254029548EABF64E
                                                                                                                                                                                                                                        SHA1:F26F7E2EAB2DC37DD5E3E264281A3F2E473C8B87
                                                                                                                                                                                                                                        SHA-256:5BC03566BE47D7C6EF6FC512B1A1665567E3F73A1BAB828263230E932EA4B596
                                                                                                                                                                                                                                        SHA-512:74E5645CA885543CDF7FB589647F2C75FC58C6325D613C8DBFBAA2A145E96B64353358D3691DAE454FBDCD43E4ED42DD187791227EF81A736BD0FF940E441A7D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............*... ........@.. ...............................p....`.................................d*..W....@...................(...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ......................................E...B.....P...oM.rXh.0C.....pX>.-..2........t..C+T^..j..iu..I-.W...{>....~H;...Y.......|...:S....w8..D../.WK?..NUdC.9$BSJB............v4.0.30319......`...X...#~......p...#Strings....(.......#GUID...8.......#Blob......................3................................................"...........;.....2.....f.......$.................+...!.+.....+...[.+.....+.....+.....+...B.+...O.+...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15648
                                                                                                                                                                                                                                        Entropy (8bit):6.802306968215209
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:mIBjrxJ+WKbWWvwWxNzx95jmHnhWgN7agWarn8RwX01k9z3A1Zx+XL7Dm4:mgRJ+WKbWWvvX6HRN7zrn9R9zmwjm4
                                                                                                                                                                                                                                        MD5:B8B928549CF3DDC413906F366B00A626
                                                                                                                                                                                                                                        SHA1:416B4D51DBA2452EE7160045FC0E666F52A1D15E
                                                                                                                                                                                                                                        SHA-256:7091A88BC875AE71C24CA697176F0FDB7B80BBA874E3AEDF485EE5C5A99EED8D
                                                                                                                                                                                                                                        SHA-512:3042A1A2F456302877017476E73B8095F1FE4F2B36569140C61A1D6B30597FE42CADCE6147551CA099E0A751BEBE0B2A530381D1EA3CC6A01AF49ADFD5756639
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....M..........."!..0.............n)... ........@.. ..............................i.....`..................................)..O....@.................. )...`......`(..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........ ......................P ......................................,...,..rh.u.b...A..KO(.6..3.<....*...t#.bf.:`......s....G...V:*....\u.O!2...u...C(.4.d.9G?....OY..[o./.u6.+:..H$:..7..BSJB............v4.0.30319......`.......#~..0.......#Strings............#GUID...........#Blob......................3..................................................,.....,...3.....L.....^.....a.................w.................w.................G.....I.,.......................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1130768
                                                                                                                                                                                                                                        Entropy (8bit):6.716178697279381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Ac22hrYDBSZlNmj4C3MgRjfyTMCSTWeW8kJjaJlB9vN10wyQXoVODzty2el+jmZC:AQto0ClR2TMYpO/owh3Dzw2el+jgC
                                                                                                                                                                                                                                        MD5:0AE39983665F6795ECD075CD8E94B776
                                                                                                                                                                                                                                        SHA1:8059256845DB65BBE27EE549FEF7AAC5D984531E
                                                                                                                                                                                                                                        SHA-256:3680BEAEB634F53EB2FADCEDD43FDBE0763F6BD318FB01088DECB4D0441C27DB
                                                                                                                                                                                                                                        SHA-512:62C724C83658EA11321DCBE49F9764E0D5EEBCBD7FC1FAD81B707D8CADFAA6D7BD0B64221532C6681C4A421CF4D89963846F4241A3702826A8233013A05FA838
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....4...................................................@......8B....`...@......@............... ..................................h...............)... ..h...xW..T...........................................................h...H............text...>2.......4.................. ..`.data........P.......6..............@....reloc..h.... ......................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e.s. .p.r.o.v.i.d.e.s. .a. .l.o.w.-.l.e.v.e.l. ...N.E.T. .(.E.C.M.A.-.3.3.5.). .m.e.t.a.d.a.t.a. .r.e.a.d.e.r. .a.n.d. .w.r.i.t.e.r... .I.t.'.s. .g.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.753447262554626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:qrP0CPxxkYWSD+WrpWjA6Kr4PFHnhWgN7a8WgHH6J2OCjVi6KrIX01k9z3ALxQLS:M0+WYWSD+WrYA6VFHRN7L6x49R9zaxQu
                                                                                                                                                                                                                                        MD5:ED46EDD045A16E38ADD5814DCA362B0C
                                                                                                                                                                                                                                        SHA1:8E9CEF564A13E2800FCE2D7B447008AB28C5BA64
                                                                                                                                                                                                                                        SHA-256:A0EF5D467731B176A48C3D6B349EFB0E120365CD6CE700E02B8F02BD0D9FF5B6
                                                                                                                                                                                                                                        SHA-512:930E14F58DF97E446A1C2CD68DB2892FF1BFEBA972A7F6C6F548202269387F18D6E26C08CBF9124E9042C81ACC073A60EFFA2427D34135523ED8643D38C26C8D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v{..........."!..0.............^+... ........@.. ...............................H....`..................................+..K....@...................(...`......T*..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ......................P ......................................+.U.........$V.....h..../...9.|R.7)..^ck?Si.'......TY..."...2!.I^#.._h...6.W'..c$..g.1'/L.~.........r....Cd..o...q...BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................3.........@...........Y...................`.................g...?.g.....g...y.g.....g.....g.....g...`.g...m.g.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33440
                                                                                                                                                                                                                                        Entropy (8bit):6.476067104710918
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kmSlEcREAwcc1+Wc+bgvPLfmFClits89zSo:RSlEcocc1+Wc+bgvjfyi6zSo
                                                                                                                                                                                                                                        MD5:6EB4649F4FDF0E31924DB943C0F4DE49
                                                                                                                                                                                                                                        SHA1:413C6B6D0531BDBAB8E939D8D6673C30D25AB8BF
                                                                                                                                                                                                                                        SHA-256:D700C814151CE8AFB89419FA0DA373444999993EB99BBEE129C7529C83595BEF
                                                                                                                                                                                                                                        SHA-512:5639B5E9220623D50A40A1D07FBDA9B63B718EBF7AC00B1B1C6807E4FD6464A7B61F0FEDAABC8840D6B0CF09079C6523A571D3C2F2D41FDF204559E526460110
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....#..........." .....P................................................................`...@......@............... ......................................D........Z...(...p..........T...............................................................H............text....N.......P.................. ..`.data........`.......R..............@....reloc.......p.......X..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...T.y.p.e.E.x.t.e.n.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.7304228518382665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:xe1MZK+hTxxYVk+jWhHCWWWhWxNzx95jmHnhWgN7acWafnjyttuX01k9z3A1iaMb:4EpiZjWhHCWLKX6HRN7SSR9zWia87T
                                                                                                                                                                                                                                        MD5:9E6DFCB7B11307322D29628962C8DA01
                                                                                                                                                                                                                                        SHA1:C92E0A8B9C638485F1FBB8E8FF5AD0C7E79B3142
                                                                                                                                                                                                                                        SHA-256:03B4718EC3BEB7F6F5C982C41117CFF12475C0656E3F6741106C9BCA2F582714
                                                                                                                                                                                                                                        SHA-512:4D9C2C0B293C2994BABD297167584BE76438B77595B8936ADC467A54960AA06A3DD6214EA569FA74A16B8B385DA3A068C783851566248A677D73C8AFD61813E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(q............"!..0..............-... ........@.. ...................................`.................................8-..S....@..h................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................p-......H........ ......................P ......................................VJ#...;l.?.D..Y..<......=........0.,I.e..A.x....y.."*..t.@.}#...A.G.........j.|..q0....d%&Z.....$.q+<.x.....O..=R.A.BSJB............v4.0.30319......`.......#~..........#Strings............#GUID... .......#Blob......................3................................#.....a.........z.<.....<.........\.......3.....w...U.....M.....7.....y.................................................<...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15624
                                                                                                                                                                                                                                        Entropy (8bit):6.785037363575662
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:SFP0axKOW4A3WIEppWjA6Kr4PFHnhWgN7acW7m/yttuX01k9z3A1ir:4PZKOW4A3WIEpYA6VFHRN7GvSR9zWir
                                                                                                                                                                                                                                        MD5:32B77094CD111197938D57101F437A87
                                                                                                                                                                                                                                        SHA1:0D19DE916A18106E63F25E9E0DA4E13519FD0847
                                                                                                                                                                                                                                        SHA-256:27125239D58403F260966DB56F490B94A6992BFC8BB7391E255134BC24B956D3
                                                                                                                                                                                                                                        SHA-512:9BCC1B8A2D17EDA2C97B2F30AFE73C73F747C2318824D93231F6E5C5E274FD724AFE0987D1C77F4F07DF4EB1165BE77C943D439D3370F62B9D932D5744E78CB6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............."!..0..............)... ........@.. ...............................j....`..................................(..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H........ ..@...................P ........................................i.@~N..D.D..2......B......."..\.zE'\...R.._6..v].6...._`..rS..s..fyAg.7..N..#t..oi.1......[..(...b./.H..j.;..<O.%!K.,.[BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3..................................................=.....=...3.*...n.....^.....a.................w.................w.................G.....I.=.................$.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.76516043840326
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:n/msL3vWVszWSYA6VFHRN72JBmo8R9zMLArCYXo:uszVdFCl2TmoQ9zhj4
                                                                                                                                                                                                                                        MD5:D9DD864AC4B90BA4E63AF795256B701F
                                                                                                                                                                                                                                        SHA1:4DBF63E5D8089DFA2792A9A54AA91D6CC2682173
                                                                                                                                                                                                                                        SHA-256:0DA11F94B9CF32240B99497802076E9C4A37CF0F4E46AD83D63FEE3AE7B5CA9A
                                                                                                                                                                                                                                        SHA-512:8758B926D8AAB3D09BEE8AD989EAC867EB989D31D625DF6C6CA9873DBD66B0917657A358CCABDFA4A816DFB7BE877F96A36A0370A9FD58824DBC2159B04A2B82
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r............"!..0.............^+... ........@.. ...............................Z....`..................................+..O....@...................(...`......H*..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ..x...................P ......................................K..............h?.:..P.=,.?.......\W..`..[7.....P..L..........'.|....IK.....!.l.......=H...8b5..t.3{.qu.....D..Y...F.z....BSJB............v4.0.30319......`...h...#~..........#Strings............#GUID...........#Blob......................3......................................M.........f...........].l.................r...A.....9.....#.....!.........................................q...................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):45344
                                                                                                                                                                                                                                        Entropy (8bit):6.554040619235554
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bp7oRtyqsSfySDzEjIPvG8lZ6r+WJR9zLjk:bS/Hjnz+0vGU3WJDz
                                                                                                                                                                                                                                        MD5:3B10AEE75EFECF3842D35624FADD1592
                                                                                                                                                                                                                                        SHA1:859B1BC05DB81D2C9E1D4BBB78497201DF4E5F10
                                                                                                                                                                                                                                        SHA-256:F6E56F2540DD97088089B7BCCDF9C8DE63B9EFDCBA8F413C4D691D0D9650B059
                                                                                                                                                                                                                                        SHA-512:EA64E351A623C949EF1E0D0780B5BC2921AAC34698FD106194E87021D2A92200BE2937F2DCBA7651386E4EA6554AE52646174477E4C3D8EC923B4222A6289FB0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....f..........." .....v................................................................`...@......@............... ..........................................@....... )..............T...............................................................H............text....u.......v.................. ..`.data................x..............@....reloc..............................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.s.o.u.r.c.e.s...W.r.i.t.e.r...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22816
                                                                                                                                                                                                                                        Entropy (8bit):6.422373350096493
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1Wgb2WYaXPPGmNOWWWfmXonPQ6X6HRN7wdkyEpcR9zt5dod:F5HGmNG0LWuEpw9zTe
                                                                                                                                                                                                                                        MD5:0CD66CD03167DE27EBA44176A20B1DE6
                                                                                                                                                                                                                                        SHA1:79F3403535AC862911ECC216499325CD0349AE22
                                                                                                                                                                                                                                        SHA-256:6C14B33F85E1F559D4FEC82C188D7377B9AF11D24F17DA66BC6F30FA72ED59AE
                                                                                                                                                                                                                                        SHA-512:4027EB337FCC5271DE79FD72845EDFE65BD1D27B3D2C027E4B789D58A511A9584D0893A6D17C04C3C4209A7720B661A4916EDC62B39F700EC1AC334AC1ABC336
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....lf.........." .....*...................................................`............`...@......@............... ......................................$........0.. )...P..........8...............................................................H............text...o).......*.................. ..`.data...=....@.......,..............@....reloc.......P......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...f.'...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...U.n.s.a.f.e.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...v.'...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20128
                                                                                                                                                                                                                                        Entropy (8bit):6.579414670424758
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CWsELWh2IrR/Tvna4EcWQOYA6VFHRN7JBR9zpO1:LS2q/Tvna49OFClJr9zw1
                                                                                                                                                                                                                                        MD5:9797EE9E57A027A698160566E9D90B25
                                                                                                                                                                                                                                        SHA1:466BF47F20DDEE5EBDB17882B6516CB0D3674B82
                                                                                                                                                                                                                                        SHA-256:F04A92B890D871BAA63CED5AAE3A993157B2EDD8AA5996607A046CFE9A4D63F8
                                                                                                                                                                                                                                        SHA-512:0FBDBF279B2E04631FA19E948D2F03499D1B7F1ACC9512B402DBBE2DA7CE12F6090D9393415E94F77D6DE380671506BF4F4BC851F88C103E344371D081CAA66A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ..... ...................................................P......=.....`...@......@............... ...............................................&...(...@..........T...............................................................H............text...`........ .................. ..`.data...D....0......."..............@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...V.i.s.u.a.l.C...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18184
                                                                                                                                                                                                                                        Entropy (8bit):6.6208527927079635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J5y7UByGe9xCEW60W8eNWUYA6VFHRN7B/7R9zb32:faUByGeY0FFClBF9z6
                                                                                                                                                                                                                                        MD5:BA4C37FBECE8728A70A1C5F21154BE54
                                                                                                                                                                                                                                        SHA1:2686CE405CA08FBD43660D80E4475BCCBBCC1D51
                                                                                                                                                                                                                                        SHA-256:58B0A3FF1CE0C24F66A2423883700E12CC92952EE14AD27050351739271225CC
                                                                                                                                                                                                                                        SHA-512:BD60A56C2A6E6D33BA3B103ED0C444781A8EC038CD47EA0F4EB65146E922F52F0EF7BAAF6DE33807A00A663F7ABAF495346C1C649A4FBEFBFD2575C527AFA5E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:_..........."!..0..............3... ........@.. ...............................B....`.................................<3..O....@...................)...`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........ ......................P .......................................j.*....T....D...)Q.rrZ1...@....Q...f.6#XWm.o)..\..J}kJ^.t.c..ED|......)..w9|.}.b...6.._2...b...$..i...z........0..)..BSJB............v4.0.30319......`...$...#~......l...#Strings............#GUID...........#Blob......................3................................O...............Z.............m.........,.W.........5.............p.....p.....p.....p.....p...E.p...b.p...z.p.....p.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                                        Entropy (8bit):6.812071918414655
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4915xIWArmWJYA6VFHRN7DmOEBmo8R9zMLlt:s1ehFClDmlmoQ9z8t
                                                                                                                                                                                                                                        MD5:ECD54205E9F9C25C99C25583E31BF19E
                                                                                                                                                                                                                                        SHA1:CBFBC8186DDDE62ADBE8323A68354A04B2C5EDC4
                                                                                                                                                                                                                                        SHA-256:020BA76742ED8911E167343EE9D1BED08C4F3F21C8DDEE0A306D163FF6B58FA0
                                                                                                                                                                                                                                        SHA-512:F9C24AECB0439B8C1EDBBBF6A3E6E90F69DB2B01225D7CBB444F4E757C6625900F695057CCBDB4DEDA40C7B24BE879DFB61324A0B1D908DDAAD9418E40FD5D92
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..............)... ........@.. ...................................`.................................|)..O....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................L...i.8L.G...H.~..0*K`..d.V.......o.....Qr....P.........i$.Qb...;..<.....H..:..O....{N.w..!...Y`..8o.Q...-V:.E#.BCE .RBSJB............v4.0.30319......`.......#~..L.......#Strings....P.......#GUID...`.......#Blob......................3................................................(.x.....x...f.F.................'.........L...........a.......................H.....z.....|.x.................@.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31904
                                                                                                                                                                                                                                        Entropy (8bit):6.4408952831148465
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:NWHhUWxi5ciERQXIG6KMWFYpmGRuOWB/r1YA6VFHRN7ZE76R9zqgGcwH:gHpKMWFkmGsvBhFCli729z58
                                                                                                                                                                                                                                        MD5:7BC6DA57F4A287DE416B8DF0C1ECCF44
                                                                                                                                                                                                                                        SHA1:355DB90FE8B41076042315E3F8E967A3608DD2C6
                                                                                                                                                                                                                                        SHA-256:49314E6C92F60098842088CC69B2EA044F28EA571983191B6154F327302066E3
                                                                                                                                                                                                                                        SHA-512:C9B29F0DC2BE91D61EE4AEEDEB20F8C2526E0CED3A191E565AE118769101B83174AF091EDF9892FC10A39A199B6FC6B4A46A54E561BF24F76D74D23B0A699166
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....C..........." .....H..........................................................r.....`...@......@............... ......................................H........T...(...p..p.......T...............................................................H............text....F.......H.................. ..`.data........`.......J..............@....reloc..p....p.......R..............@..B............................................0...........................p.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51872
                                                                                                                                                                                                                                        Entropy (8bit):6.472004749878635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:C5oK6fKfIPMWW/z2rg8Z61rvZqhwFLUFMjVYuPkKFClZts89zCVi:C5oWfIP8z2r1GqhwFIFMjVPPkmibzB
                                                                                                                                                                                                                                        MD5:268A59245835DBFBFD3C23BF744D39D5
                                                                                                                                                                                                                                        SHA1:55874A6B8EEC97204791FE1DCB081E85E50CA1C0
                                                                                                                                                                                                                                        SHA-256:0CD3306A5380E59B1C61B16461DD8A0A76E58D677E7DA1EC3741BB64EFA25AAA
                                                                                                                                                                                                                                        SHA-512:6929A0F97B645AE062F6FDE1F8593AA3AA4E89F14BC9A253718615477FE79D5DE60AECFE4C33B32B0579719AC2AC241A5B243D3CA0063ACB1CDEB984C858756A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d... @............" ......................................................................`...@......@............... ....................................... ..P........(..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...I.n.t.e.r.o.p.S.e.r.v.i.c.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                                        Entropy (8bit):6.679809972102448
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:G1d+WmkLW/YA6VFHRN7IUmRxB+R9zrPGkq21:4EFClIUmRxw9zb/1
                                                                                                                                                                                                                                        MD5:115B64552BE0B3A33E0645EB04D78D65
                                                                                                                                                                                                                                        SHA1:A7EE75D3913B34AEE6516DCA723FF5A0BDD46B78
                                                                                                                                                                                                                                        SHA-256:9FA85D63880EB178AC4D425F54E3A25A2E863EBF8DF62ABDA3333AD711B1ADAD
                                                                                                                                                                                                                                        SHA-512:93D02C37FA25936EC59F3EC1905BB071576044AC4347233833E7D692EF8FF5C6110B836EE92E5EC59BAFB8CC291185DCF694DA3C0493010A85B2993D55B39E3B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#..........."!..0..............-... ........@.. ..............................j{....`.................................d-..W....@...................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P ............................................k"..%.oX...a....J..u...........Y..<..W@.t......,..b.#WO.!.......#m..:..0K.4....*&6.."v.."...n...C...A.b+0K.#..gBSJB............v4.0.30319......`.......#~..<.......#Strings....$.......#GUID...4.......#Blob......................3................................9.............................p.........?.....g...................1.....1...}.1...4.1.....1...X.1...u.1.....1...(.1...O.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16144
                                                                                                                                                                                                                                        Entropy (8bit):6.728895977359552
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:v0SQa4xxo6VW5bGWavpWjA6Kr4PFHnhWgN7agWM4DyH8RwX01k9z3A1Zx+XL7DnK:zQ36wW5bGWuYA6VFHRN7d9R9zmwjK
                                                                                                                                                                                                                                        MD5:B7D249F4C68AD5B4714FEB092732FFF4
                                                                                                                                                                                                                                        SHA1:B01157C38E9F36D0906ABA7292E546DAFC1059D5
                                                                                                                                                                                                                                        SHA-256:C58ED48A3B29E49D9DBF47338192E91F2CE16870973F6C20B316BA7747738497
                                                                                                                                                                                                                                        SHA-512:45FDA399159E5E7F0121A4672F36D3CA9B9CA24D66E810B0838C6D5BF331B8AC73905EBABE756F850E4E38BF96EF09ED0A0F08183067EF708447E0A136E61E31
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............*... ........@.. ..............................f.....`.................................8*..S....@...................)...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ......................P ...............................................9j'6^.)...]..z......EC....M..}.-.A....`.....L.i..1.o........7..{...k...0N.<<...[Y..?..#....dB<..Nk.l.....\..3.\r-BSJB............v4.0.30319......`... ...#~..........#Strings............#GUID...........#Blob......................3..................................................,...4.,...p.....L.......R.........t.....l.....V.....V.................................................,...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):221960
                                                                                                                                                                                                                                        Entropy (8bit):6.873049679860797
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:YjBg53qIzkOGjMD1jUZVEJrSlLXuDcWroW6p:8BgxqIz1GgDRKVEJO5uDcWji
                                                                                                                                                                                                                                        MD5:83067009F7425B98D4BDF066B6124469
                                                                                                                                                                                                                                        SHA1:DCBDD19E21C0734BAB3804908585C96F06E06CE3
                                                                                                                                                                                                                                        SHA-256:E3EFC3989359B0B0F66D1BED6B390F47B086E854FA1C96269244B353986A23BC
                                                                                                                                                                                                                                        SHA-512:B4CE3EF0C9E5B1288AA3BB159769C557B2409C34FA7250FA0FAB54A0C310031D834C6F948FF7DA4D27381AD9259E5E4285F414525CADAC64ECE080AAE88474CF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....0i..........." ......... ...............................................`...........`...@......@............... .......................................T..x....:...)...P......P...T...............................................................H............text...1........................... ..`.data...P....0......................@....reloc.......P.......6..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...N.u.m.e.r.i.c.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):322840
                                                                                                                                                                                                                                        Entropy (8bit):6.6930952327752244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:J2BNIzFraZFu5UJgNFmZzq5tqdKfB8wLyHfHwO/S14CFYgbj:eupaYUJgNFmZc+L/HwOsdD3
                                                                                                                                                                                                                                        MD5:118E45018A071C186DAB988B8DBB197F
                                                                                                                                                                                                                                        SHA1:9941E8744E34A5C932A1C76EB8AE8B1E7ABB3513
                                                                                                                                                                                                                                        SHA-256:3C9BAEE2E1D99E4145E3A3B26F9F53F7D1665239502AA16EC54F3666CDF0F84B
                                                                                                                                                                                                                                        SHA-512:A09C4219A56AEC62B00715E0DBBDBC899C089DBA1A834DDBBC5331B2840F24FE2A67B0714852D7F40248FC3C34928956AA3445B7A9B3CC752A54BD82648E9E3D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .....p...R............................................................`...@......@............... .......................................o...........)......(....&..T...............................................................H............text....n.......p.................. ..`.data....I.......J...r..............@....reloc..(...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...F.o.r.m.a.t.t.e.r.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.714776898123936
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QHqvyVWbumdB5W6fYA6VFHRN7pHR9z775md:AMyWXdBDFClj9zv5md
                                                                                                                                                                                                                                        MD5:1C18ECDFAFDCB5BE7926AC0444104990
                                                                                                                                                                                                                                        SHA1:77F654018ABC84CB8212E8D32BCC44A50C965BA2
                                                                                                                                                                                                                                        SHA-256:1A063D6F812489C64273AFC760B06C04E04BE1C140E7B196A0946D0D0175C8F2
                                                                                                                                                                                                                                        SHA-512:5AB501B82128514F718DB64796AE701CC612B7FAE62C0427EFCDD29869FF2A7DE6D257254CA785278EC459FD340DB770A14FE87E28B8C67409A95C0296DC7DE7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]..........."!..0.............~*... ........@.. ....................................`.................................,*..O....@...................(...`......h)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ......................................LJ.v.8't.Q.|Y.u.....?...R$.Y....V.y..#c.k...r../....%{%c.N..]$..=w....C.O..^|.&..u..&..l...... M..`....'|...e.h?..TR....\..BSJB............v4.0.30319......`.......#~..|...d...#Strings............#GUID...........#Blob......................3............................................................3...........^.....a.......O.....O...w.O.....O.....O...w.O.....O.....O...G.O...I.........................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):28832
                                                                                                                                                                                                                                        Entropy (8bit):6.457861200692383
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:jHWFI0JBrWtmtrwhpKH0sdbnMbKF+87makO2akSMHHDGEHsfbEbIYA6VFHRN7hBC:jqDJB+mtrewOW+8dxr1FCl7moQ9zV
                                                                                                                                                                                                                                        MD5:288B58AF49B3F25FE4BDDD61A7D87249
                                                                                                                                                                                                                                        SHA1:2CC6789B40BE3ADC7C48C22A469B03294909ED1B
                                                                                                                                                                                                                                        SHA-256:52E0F82696E628D652B2A88D3B82281B48729FAE5DDF171DC8A564B3C7C4402E
                                                                                                                                                                                                                                        SHA-512:8B8A7BC267A7CD5A4F65AE0951139B886C472E374769E2367CC47B658035C734BA73254D148EEB51FD8520F73708A77C3CC7A446CC2FD4944AB74B015383FF7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!E!..........." .....@...................................................p......s.....`...@......@............... ...............................................H...(...`..(.......T...............................................................H............text....>.......@.................. ..`.data........P.......B..............@....reloc..(....`.......F..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16544
                                                                                                                                                                                                                                        Entropy (8bit):6.7468972537613645
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:0YklmI8NQv4RMWsBdBBgWsYA6VFHRN7PtHNsAR9z/rV:TklmI8NQwRibBBiFClFts89zzV
                                                                                                                                                                                                                                        MD5:BA0279DD1B0B0EB313A8BB8E55F06B3D
                                                                                                                                                                                                                                        SHA1:A15B141F593ED49233423080E257888DEAEA2538
                                                                                                                                                                                                                                        SHA-256:6DDE7015FCCB3AA24D6ADA31AD6796688205902195CE2CFB17360FD08A7B9204
                                                                                                                                                                                                                                        SHA-512:B76E0511DCA2BC0AF8F4A0C3DF6673DC6A2F932065AEA157219A55442F3D5606A633D77DEEB931741E3750CA8B24D6FD261A34D4A2A46CAD7E16470100DA107B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............-... ........@.. ..............................5.....`.................................p-..K....@...................(...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P ......................................$..s..*./~?$.r.0L.....|.Q^x...z..%W$~..ZT..(.\.. X.A;...ZoW...*(....s..W.V.-.i.../.t...().....D3S.7...h........9..H....'r..QBSJB............v4.0.30319......`...d...#~......d...#Strings....(.......#GUID...8.......#Blob......................3..................................................f.....f...W.;.................Q.........=...........R.......................9.....k.....m.f.......................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17568
                                                                                                                                                                                                                                        Entropy (8bit):6.623513768064609
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:P6EvDj8NdwiLWgM54BHWFYA6VFHRN7oZBmo8R9zMLp:P6EvDj8NeiP24BuFClWmoQ9z6
                                                                                                                                                                                                                                        MD5:31BAEBC3E399093FB5925DB986172010
                                                                                                                                                                                                                                        SHA1:7ED9BB1471103CA17C5C5E4967D9EB09CC71B6E3
                                                                                                                                                                                                                                        SHA-256:6CD19434D4C97B20ACEC04EB372D08480072D16EB73EAB23D181854A8E789F3E
                                                                                                                                                                                                                                        SHA-512:232C4210C8C568346A2B342AC28EBEE631B5185CD8F2BF24F347EDBA02046F53887A0F9D4CDB89E6EC4B34C1E9FB65437E24728395B8A1F4E174359751D73CC6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p............." ..0..............0... ...@....... ..............................%.....`..................................0..O....@...................(...`......./..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H.......P ......................./......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....................f.......t...............7.......t...=.t...M.t.....t...B.t.....t.....t.....t.....t...e.w...&.w...r.........................T.....T.....T...).T...1.T...9.T...A.T...I.T...Q.T...Y.T...a.T...i.T...q.T...y.T.....T. ...T.....T...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):42656
                                                                                                                                                                                                                                        Entropy (8bit):5.805080563655079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:wBV0jdpFKYl5f4bGRi2xVbcVT4pEQPFClV629zR:MedGYl5f4bGR3G0mQ9ioCzR
                                                                                                                                                                                                                                        MD5:3C99EB88F752B9D377C96ABE31B7CC06
                                                                                                                                                                                                                                        SHA1:3B7BB82E17FACDBFF666243E57D3B19B2565D09E
                                                                                                                                                                                                                                        SHA-256:787FF92525E6F78436E27C144BF888EE9714F07BF0ADD7EB8BFE1F7326E31810
                                                                                                                                                                                                                                        SHA-512:07B15FE4A1576E5346FB05F69276A11F9F94F9CD9131A25F8062631C276765C8445912025B9C633B81E5D4544261A8B5B664B87A679E6613CC91C4E21A6917DC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...HEb..........."!..0..t..........^.... ........@.. ..............................D.....`.....................................W.......X............~...(..........d...8............................................ ............... ..H............text...dr... ...t.................. ..`.rsrc...X............v..............@..@.reloc...............|..............@..B................@.......H........ ...p..................P ........................................d.....;......M.......i.iT..m{.\..u;B......(.\.....:......(m..:..d*^........^K.gY..t.wy.:..]....3..*..2...3..,........8.BSJB............v4.0.30319......`...l0..#~...0...=..#Strings.....m......#GUID....m......#Blob......................3................................T...............'.[3..".[3.....2...3....e.....>.. ....<3....<3....j!....j!....j!....j!....j!..q.j!....j!....j!..R.j!..&.[3..........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215320
                                                                                                                                                                                                                                        Entropy (8bit):6.694713736900479
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:2GFAFB57nGa7V/aDGB0krnx7lZnFW2iBeVICTiupU8TVUnVZ5PDMXZo1cQtSckOi:A7GaRaiBv7lZoeXZ/MI1
                                                                                                                                                                                                                                        MD5:1CD883D7FC4B80840F269602EBE7EC72
                                                                                                                                                                                                                                        SHA1:7301B341569A5FB6085795EC5DC016B5CB93ACDB
                                                                                                                                                                                                                                        SHA-256:91D7D0C8DE0D1B387200906EEF67D528BBCB8EC0D9726F292B6EBFDDA71E95DC
                                                                                                                                                                                                                                        SHA-512:9CF35D3E26F254180658F42C2BBDCB7EBDDF9B736F1F17C60C9A83912D477A9604C954C288303CD865E34C53D6B641EBFE90A9AEE4723E2D64C52614B12653D6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...-a............" .........$...............................................@......[.....`...@......@............... ......................................@W..p.... ...)...0.......#..T...............................................................H............text............................... ..`.data...n........ ..................@....reloc.......0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):94368
                                                                                                                                                                                                                                        Entropy (8bit):6.447995362526241
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HeNGF95xttKvsq85yOuX3upafbqb958kGOQwQ7rzUU3q2bP6MOVK1iKmVzk:HeIF95VKscOuX3upEbqfyOVoOY
                                                                                                                                                                                                                                        MD5:649F20AA9F4B7DD23EB7160023B0A56E
                                                                                                                                                                                                                                        SHA1:A553D8B8A1EC4696616BC9D34CB33ED9AEBBB04C
                                                                                                                                                                                                                                        SHA-256:6E6FFD7211B25A806A466B48A729818A7A7592570D2BF926B8AC04D078220102
                                                                                                                                                                                                                                        SHA-512:C84C26A99CBF44831776F8CE7739112F385F779DEAF7F2256D4824EAF1BC013D6EE18B7B92F24B4D2257FED87ECBA8EB6BB1209795FC240D752FD2B5386F9641
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....<..........." .....4...................................................p.......6....`...@......@............... ......................................$-..<....H...(...`..<...p...T...............................................................H............text...T2.......4.................. ..`.data...!....P.......6..............@....reloc..<....`.......F..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.l.a.i.m.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):808712
                                                                                                                                                                                                                                        Entropy (8bit):6.667176908618659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:p9Dux8VLSQjVqSlDrd571xOEc8wRBul3v8x5d4BSV:ptux8VLSQjVqSlDrd5n+BuZEx5d4BK
                                                                                                                                                                                                                                        MD5:A266B1B3765863C6F80A8A7DA92EBE06
                                                                                                                                                                                                                                        SHA1:2CE8B15DA8CEC846F447B7A1E3486883784DA143
                                                                                                                                                                                                                                        SHA-256:19595880A932FC70CBF4DC31C122E3341DFA6CFB9E3EE9999D66D861C4B03F66
                                                                                                                                                                                                                                        SHA-512:E01C2F91C20361D105CFF994E62D1AAC1D7788884F3DD076BEE287503958F23F182B60A7A5C7094B387711BC0B2032AF8A2D31FC8408D85B2DF91A0BFC85767E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...q=i..........." .........................................................@......[.....`...@......@............... ......................................L)...Y.......)...0..$....C..T...............................................................H............text............................... ..`.data...#~..........................@....reloc..$....0......."..............@..B............................................0.......................|...4.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...p.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):486560
                                                                                                                                                                                                                                        Entropy (8bit):6.689433219916561
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:D0pdtbsk7ZTs0ilUfa0BEuUWZwgZExhelA1z:+DNTvih0BEuUWCgZExhxz
                                                                                                                                                                                                                                        MD5:01DA5B74F8CEA47CCDD769EA34B2E7E7
                                                                                                                                                                                                                                        SHA1:A9D2B1983176ADA553B4B608F2F5515432718425
                                                                                                                                                                                                                                        SHA-256:7B5C8CB2871FA9C53F20CB5316906CDD610357C904734C1E4B5BCC738FA29CB2
                                                                                                                                                                                                                                        SHA-512:9C260DF60E5F631751C2761E58A27D019E3515AF594C44557B36EA9A3CCCB976014C3767ED680637EFDA20D0EE77FC38ABBD7EF94186E17B3BE27D9566B10DF5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....]............" .........Z...............................................p............`...@......@............... ..................................h........2...D...(...`......P0..T...........................................................h...H............text...5........................... ..`.data....P.......R..................@....reloc.......`.......<..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):189600
                                                                                                                                                                                                                                        Entropy (8bit):6.633371366781308
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:JNEmWBQH04BekCQUVP2xrwOy09JN/KBWAUQ335BotelqKaMJDBy/x9u:/WBQ3E1kjUBoteJM/xI
                                                                                                                                                                                                                                        MD5:73744EEF11A5BD7096F5AB01661A1CF1
                                                                                                                                                                                                                                        SHA1:772C4483635EC0A417139F8955A943D3D02BBBC9
                                                                                                                                                                                                                                        SHA-256:8FA0C869538128A9FB2A95AFA1ECF51D43A955A0EF719D9613E420DEDDBC3448
                                                                                                                                                                                                                                        SHA-512:14E14D4680AA4EB6F1AB2F0679B3B4E4B67EB012D32D03BE51DD116B0264547077C78F41DDA1504B9C048FC17158BFA763A363A5A8C1115B3905E4513FF890BC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....b............" .....................................................................`...@......@............... ..................................h...lO..X........(..........."..T...........................................................h...H............text.............................. ..`.data....).......*..................@....reloc..............................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93856
                                                                                                                                                                                                                                        Entropy (8bit):6.408085753053331
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:9EhT10RdVH8EOY7wmlYcNLyoOeSRzmIevYcfiLrszHc:92SGEOY7K8LyheSRzmdvYqEAA
                                                                                                                                                                                                                                        MD5:081BA64231096D11B96E241626C3EFED
                                                                                                                                                                                                                                        SHA1:BA4F7864F8465DE68F6DE98B96FBE6E7444C1B1D
                                                                                                                                                                                                                                        SHA-256:B661157A26DACAAF86E88AA9E7443BA9FC19D1322B9E262B0A032320666B5E57
                                                                                                                                                                                                                                        SHA-512:4DCEAF18F9460650B7DB30FDC9A3CDF512FB9B97B482ABB0CCE54411B4A0572602F8337D4ACDB699CEB268DE11FA791B1D352276EF79AB71ABFD81BCB09ED9CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q............" .....&...................................................p......5.....`...@......@............... .......................................*..\....F...(...`..(.......T...............................................................H............text...C%.......&.................. ..`.data........@.......(..............@....reloc..(....`.......D..............@..B............................................0.......................p...(.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...d.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32032
                                                                                                                                                                                                                                        Entropy (8bit):6.245677631794701
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:M9WAmDijRWtbwPV0D/F/pQ+1+HCeqtwlLYmxNOcVPFNNPUHX6HRN78FRxB+R9zr8:uyeqylLYm71VPRc3W8FRxw9zb0
                                                                                                                                                                                                                                        MD5:7F6966066BECB9A1F73DA461E07A036E
                                                                                                                                                                                                                                        SHA1:D983B4C573D241577E4CD7938CF6003D11B2D8CC
                                                                                                                                                                                                                                        SHA-256:7A9399BCAD3997D9CEAD01BDD689D3B92DC68E01601446510F2BDD9B4C3BF8A7
                                                                                                                                                                                                                                        SHA-512:13313E6EEC899B4B500501A866BE5742743C78AA6252270399DEBAE200A9D88ABF5DEC10ECF3BC8850629F2BE20F7B45D71654799418E3478A14271936846EE7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{............" .....N................................................................`...@......@............... ......................................@........T.. )...p..........T...............................................................H............text...'L.......N.................. ..`.data........`.......P..............@....reloc.......p.......R..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...b.%...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...O.p.e.n.S.s.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...r.%...F.i.l.e.D.e.s.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):134928
                                                                                                                                                                                                                                        Entropy (8bit):6.568383371998579
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sspRk/BZX3krpmsUjMM+JbVUonV0hcbGWbrrrrrrrrrrrrrrrrrrrrrrrrrrrrr+:9RMBZXCPMRcbGnt5Yq
                                                                                                                                                                                                                                        MD5:A66428FFBD2EBDED73C9BC8A8D0A76B4
                                                                                                                                                                                                                                        SHA1:988AAC80A437781CDE6596CC654DB9776FF4AD84
                                                                                                                                                                                                                                        SHA-256:914CD0D9270A667393FC5F0F6E558887D18510466B42FF4DDAA0DB415DC3AE2A
                                                                                                                                                                                                                                        SHA-512:B7B20F4ED2630B9AB9F451A64D3FD9E82DD2AB64FB33B66BF01BA239C22214AD0A895C05DA2571BF6C46B7E3FD73E4609626E3EDBFCE08C0591F5F2D03E65E16
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........(......................................................<.....`...@......@............... .......................................;...........)......d.......T...............................................................H............text...T........................... ..`.data....".......$..................@....reloc..d...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):569104
                                                                                                                                                                                                                                        Entropy (8bit):6.706114555400102
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:dcy1XS6la/9irY6jyFOagRMb2HwpYDgP7xmBVWUw7nzNZZmbS:1XSgw9A6YDgP7xmfWUwrTEbS
                                                                                                                                                                                                                                        MD5:7ED212CA1B7E3CECDE6B278B6A7B960B
                                                                                                                                                                                                                                        SHA1:8280B9E10FCB9263A3112E43C80F988F8CECE77A
                                                                                                                                                                                                                                        SHA-256:FAF2D2080ACB553C9BF44796F2A5DFD2FD9B4D5C273A940266EFF26D6677CD02
                                                                                                                                                                                                                                        SHA-512:6E5D79A1EF29DFA58242BF52154EE0A19338ECDFD064A250056FA46F5195CBBF96DF785B1AFEF689C41BECDD75BC420C1E7EF47102861026F951A8966E688A62
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................v.....`...@......@............... ......................................`...@8.......)..........x4..T...............................................................H............text............................... ..`.data...............................@....reloc...............z..............@..B............................................0...........................X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):151816
                                                                                                                                                                                                                                        Entropy (8bit):6.6623046410034386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:stiUGF+5xnwtF9cOtyeyvsuA1Hp7cyeo7Y3pN:OGAeSwasumLYL
                                                                                                                                                                                                                                        MD5:ACBCB2A44205E6CA75E4084C1CB1CFF5
                                                                                                                                                                                                                                        SHA1:846E040AB6E325EBA69A26C0B89BF9C018D5AE65
                                                                                                                                                                                                                                        SHA-256:56E35F6ACFBA99205CF2F27E9834B0B726CBCCA38A122C6CFE1ACDE1E398AC3D
                                                                                                                                                                                                                                        SHA-512:7C956DFE6C668C1466BC59F4F11A4C39325C3274B2198BEC979F3A2505BED08D16474E57843CD90ABBA930F9634A8D437CFB10FFBD9F3263C61E9344D0E1659F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...]............." .........$...............................................P......P.....`...@......@............... ..................................h....F.......(...)...@......x...T...........................................................h...H............text...e........................... ..`.data...U.... ... ..................@....reloc.......@.......$..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                                        Entropy (8bit):6.823849132456246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:n8V/1Wi4fWcYA6VFHRN7ABmo8R9zMLWN+:nIY7FCl2moQ9zPs
                                                                                                                                                                                                                                        MD5:16DAC3D892053EF71C67B2C9BDC7F403
                                                                                                                                                                                                                                        SHA1:EB39F7E2AED3922FB475B2B0CF39ED5BC16A1168
                                                                                                                                                                                                                                        SHA-256:73CF3680065CBCF6D27EB607CEF08704763EC18280F139D973F4BFC6E6C3E508
                                                                                                                                                                                                                                        SHA-512:0FD4172EAC020227EDF2AB1A79C790364789C0595E5AC215F8E21527EACCED64F901777BBC30E321D68344F7DEC9E3046C479BECD8276ED2FD7ED8A59BA98444
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............)... ........@.. ..............................J.....`..................................)..S....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................Ms.C"/.Y.H....5 ;1.......cO.Y...1...r.L.P.F....."..{F.d...;.ek!m...H..vA.oa.........[.z.j.OT^.[.......*..:..%.>t.F..M..=PBSJB............v4.0.30319......`.......#~..X.......#Strings....X.......#GUID...h.......#Blob......................3......................................F........."...........;...........f.......d.................k...!.k.....k...[.k.....k.....k.....k...B.k...O.k...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15520
                                                                                                                                                                                                                                        Entropy (8bit):6.809520266690687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:1eraiTW1A3WxYA6VFHRN7ectHNsAR9z/y9R:1eraO+FCleCts89z69R
                                                                                                                                                                                                                                        MD5:B2332732ED17ACFCF4F331606CFD5B40
                                                                                                                                                                                                                                        SHA1:96455F14473711B41FC7F9E609E275010445E241
                                                                                                                                                                                                                                        SHA-256:DA85E41265986C66CFC87A6147AD6F699BE06E17318CC7228E5BC06782AAB803
                                                                                                                                                                                                                                        SHA-512:C5B85177A18DB48D74D2786F8B943D8104DAE3E30CBC6218C9834C93E8246F14D90B7428C0553B52A735AA5585A28983D8EF52018817BBC56C4D68CAA569CB54
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N..........."!..0..............)... ........@.. ...............................|....`..................................)..K....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................k.}.....@.....pg..N.e.W.=..8A.1..P!Mo..U.....GI{..K.o...@;^.......U.I.aYS.I.WB.4....p.80.6.....g..D....ov(.....>.gh>w4!EBSJB............v4.0.30319......`.......#~..P.......#Strings....4.......#GUID...D.......#Blob......................3......................................2.....................3.r.........^.......S.................Z.....Z.....Z...S.Z.....Z...w.Z.....Z...:.Z...G.Z...n.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18720
                                                                                                                                                                                                                                        Entropy (8bit):6.611731936380794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6+rueDWLr3WssDW5kpX6HRN7nd9R9zmwj+:weDW/0MyWl9zLj+
                                                                                                                                                                                                                                        MD5:7222BD0ED170B937B857CDA48DF38B29
                                                                                                                                                                                                                                        SHA1:EDE40D82947E7139CB96AD5E941D193AB8D25116
                                                                                                                                                                                                                                        SHA-256:91B24F7E448513335225FF739391C30CF398DFBCA53D704BD3026AD174EAC7E2
                                                                                                                                                                                                                                        SHA-512:0A20F683926A7328C74CA5552FAEFB12348DDBCD4347B32AC17A0F26FC7641C66654CEB72951338C2AD7420E097A238F62CFA372B45A1DA81EDCD8DDCA88F1A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2!..........." ..0.............^5... ...@....... ..............................A.....`..................................5..O....@..X............ .. )...`......44..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................?5......H.......P ..d....................3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......H...#Blob............T.........3....................................O.................p...~.p.....;...............O.=.....}.....}...e.}.....}.....}...'.}...D.}.....}.....}...n.................7.p.................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'...y.'.....'. ...'.....'...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17688
                                                                                                                                                                                                                                        Entropy (8bit):6.6159722799904985
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RiSEs6760DX88kgHWGlK5WDWVWxNzx95jmHnhWgN7acWcqcADB6ZX01k9z3AvB2Y:Rx4HWyK5Wi2X6HRN7HqcTR9zi2ep
                                                                                                                                                                                                                                        MD5:0BE0FC7792DD4107FACCBB6C5E819429
                                                                                                                                                                                                                                        SHA1:7CE6C761D7197927B0C9B670B25F95FBA8677008
                                                                                                                                                                                                                                        SHA-256:9FC7DB5B190DDADA2AD2B2C5C0B428D14CD107A868B0B0D06BF83D7E4B2B1187
                                                                                                                                                                                                                                        SHA-512:50AF80A385BCE161506892B1FF136AD28C4AAFD18B27475F1362FE4FD0CA5583B00F3D1400E2CE0BBD1C6526793596500F8C90B6F4FC60E25687BCDFE91D3F2A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`Q..........." ..0..............0... ...@....... ..............................;.....`................................../..O....@...................)...`..........T............................................ ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......P ......................`.......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................&.................................%.....?.....^.......S.....S...t.S...+.S.....S...X.S...u.S.....S...(.S...D.H.....H.........F.......{...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16656
                                                                                                                                                                                                                                        Entropy (8bit):6.719664758889804
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KlLKpWniklpFWTYA6VFHRN7eRxB+R9zrPGXMBu:KlcFCleRxw9zbVu
                                                                                                                                                                                                                                        MD5:6D61C8D8F949F7899E5BDF02A9186D52
                                                                                                                                                                                                                                        SHA1:3BF8837A00B740FEC56E538BBE0758323E6BE5EE
                                                                                                                                                                                                                                        SHA-256:1765BF825BD322CD3F2C9C4F282F6B4B2874AB5F54424CF88BAFDCF3806B650D
                                                                                                                                                                                                                                        SHA-512:F3219549CC1222130D4560C06EEDAD0D393F2C5F3456638FA8990D47D919BF69BB5895E2E64CEFB24057F257219B9F9BDC7946D930C098AD6E01ED37CD297607
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ..............................o.....`..................................,..O....@...................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ......................H+......................................BSJB............v4.0.30319......l.......#~..<...X...#Strings............#US.........#GUID.......P...#Blob............T.........3..........................................o...........w...7.w...v.d...........U.........~.....B.................a...................................".....\.H.....w.................^.....^.....^...).^...1.^...9.^...A.^...I.^...Q.^...Y.^...a.^...i.^...q.^...y.^.....^. ...^.....^...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):871072
                                                                                                                                                                                                                                        Entropy (8bit):7.503965752504184
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:C47xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPOREDfP7/1qilhhWn8:CK9km6k/IwRYbiBeKGCtREDrZlLI8
                                                                                                                                                                                                                                        MD5:A297FAD4F040D3BE6A776823222370A1
                                                                                                                                                                                                                                        SHA1:7B21ABDAC2864A1D23580028F106ADC07D7FF079
                                                                                                                                                                                                                                        SHA-256:4C10D3F1879DCB256A5F55A4975160CB01D87B0857A71BB76C5D1B94D9735C58
                                                                                                                                                                                                                                        SHA-512:E0926A9C29E7FFDFBF6054A73CF5E0A102ECC8E1C0833E3AD67EB0F519D0D26B2C704292C19D66548AEAE1A4D49FC548CAC7D7426CB48FE5476343196D639D7A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...EL*..........." .........&...............................................P.......f....`...@......@............... ......................................LJ..L...."...(...@......."..T...............................................................H............text............................... ..`.data.... ......."..................@....reloc.......@......................@..B............................................0...........................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.713017326605703
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RTZv49xxhXW6aJWA0MpWjA6Kr4PFHnhWgN7awW9xu3O6YX01k9z3ACTEmv:Rtv0XXW6aJWCYA6VFHRN7MR9zpTr
                                                                                                                                                                                                                                        MD5:9BA8E74518DE0D3C89CFD095D76774B3
                                                                                                                                                                                                                                        SHA1:4D5C19C83AAF0358557302598B305C92245FEEAD
                                                                                                                                                                                                                                        SHA-256:B577A2571AF2A31531E7AC1F42AD0E82D9ED6F0C51C91DBCEAE151974FA9D733
                                                                                                                                                                                                                                        SHA-512:A5F03F6F7E9D80662EB904E52A362269964AC2BA7D7821CEE86330BE80CD55599FF929DCB041870CA9EA10332503992CFB6AF74AF7CF78E4067D71688577D436
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^............."!..0.............n*... ........@.. ...............................<....`..................................*..O....@...................(...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P .......................................E....W..H...ln...5.c..h..+}.-.. W..X...>btG..!..J...^`.[...zj..65.K..*n<.>.NG*y........3F...(o.p.X??}.qH..I.c..:.9.*8.BSJB............v4.0.30319......`... ...#~......H...#Strings............#GUID...........#Blob......................3......................................v.........I...........b.............H.........$.....b...........H...................................i.....v...................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.76321590690436
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Rc+gBIocxxXUWfONWjypWjA6Kr4PFHnhWgN7awWtH2Wxu3O6YX01k9z3AC/Uf:SGNUWfONWOYA6VFHRN762gR9zp/Uf
                                                                                                                                                                                                                                        MD5:DE2D5FFC7DA3DDC810E5AE721879C79A
                                                                                                                                                                                                                                        SHA1:0017D411EA8D53ACF3286062344AE92966B74D71
                                                                                                                                                                                                                                        SHA-256:2A004633F91DC186CB645312BDB34B8148244BF65D9F4EF64EA0272581DF0E00
                                                                                                                                                                                                                                        SHA-512:0C24AD14FF77A63B3A829EFBBA88E5C9DF6DD74E30AE6BABF9F4F05B5F986BCAFA1572835BD20E49B5560919B313FF4EFC6862ACEF3707BE8FD73495A75F0120
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._............."!..0..............+... ........@.. ..............................P.....`.................................P+..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .......................................3.f..v.........M?|.Qh.d..9i.h].*...c2.."..f...0......5...4..%.`j.L.....~P.S.M.....y...Y...x.....0..|.!.:....... |........6BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...,.......#Blob......................3................................................"...........;...........f.............................!...........[.......................B.....O.....v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):131232
                                                                                                                                                                                                                                        Entropy (8bit):6.509086593989503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:mx6SikhsB8/IZL15zgxiFS2NjNc2aBor8c5qUCNr6iAoAnlJH9RCbFAgynBRg9Pl:mx68p/UjfYxSwKqqOAl/RNlnzg9Ra41x
                                                                                                                                                                                                                                        MD5:7D2E013F3006010DB2765A9FEFF1B6D8
                                                                                                                                                                                                                                        SHA1:E2C9523830A3CE2D5F600303307527A1C509F05B
                                                                                                                                                                                                                                        SHA-256:4399526804152950F4BBE11411495790A03DE100EE484E42E0E35F5E211C045C
                                                                                                                                                                                                                                        SHA-512:3191D9C4EFB3DC14D8BF13349A10DDED28E7647628ECE3722B0CF2656A8F1F135936A6713C5A685A701B6ECE4278EC57C4BC4FABD3B56A65D5EA00FDFECFF59A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...n............" ......................................................................`...@......@............... .......................................0...........(......,...h...T...............................................................H............text............................... ..`.data...K...........................@....reloc..,...........................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .e.n.c.o.d.i.n.g. .a.n.d. .e.s.c.a.p.i.n.g. .s.t.r.i.n.g.s. .f.o.r. .u.s.e. .i.n. .J.a.v.a.S.c.r.i.p.t.,. .H.y.p.e.r.T.e.x.t. .M.a.r.k.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1483016
                                                                                                                                                                                                                                        Entropy (8bit):6.815422206418889
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:6I8nUX27d6bHUw33pdQh6I1T3bpbh4kiiqggS:6Ip4EP3pWh6ybfn
                                                                                                                                                                                                                                        MD5:DF5F08F791218A56DF0814A523EF6140
                                                                                                                                                                                                                                        SHA1:9660F398F01ED1E856EB88C3C7EE4DF56875FFE4
                                                                                                                                                                                                                                        SHA-256:FDA5F4C3C49C7DD89A973B85FD369286B174604BBA731777C6C84D10C688E135
                                                                                                                                                                                                                                        SHA-512:26ABDBAC88C09E847B9B005982D709D1CC0D6AEFC58D09D98944BD7A04CDB75A6DFAA2E3B573C837906BF2C15D19A3452396A2FFE31937196FC0A3701F71FA6D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....)............" .........H............................................................`...@......@............... ..............................................x...)...p.......P..T...............................................................H............text....-.......................... ..`.data...&-...@.......0..............@....reloc.......p.......^..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....I...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .h.i.g.h.-.p.e.r.f.o.r.m.a.n.c.e. .a.n.d. .l.o.w.-.a.l.l.o.c.a.t.i.n.g. .t.y.p.e.s. .t.h.a.t. .s.e.r.i.a.l.i.z.e. .o.b.j.e.c.t.s. .t.o. .J.a.v.a.S.c.r.i.p.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):530080
                                                                                                                                                                                                                                        Entropy (8bit):6.7790299482557845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ojaCSWfE1hvpmzn7z/HpVxn87bC/m+VvHKHhiKpwR4wcMPVZ22R3+yLAR6Bt:bW2Yzn7z/HpVxn87e/m6CHhUPVZ2qjLd
                                                                                                                                                                                                                                        MD5:E1BD563427583B969B5CD81AE03CF21C
                                                                                                                                                                                                                                        SHA1:F0951B08E22C3A111ED6551CFF96CA65BC68D5D5
                                                                                                                                                                                                                                        SHA-256:32BDA8FBC0E27628E5960023F9B3497474AD45BE38A26DB91DDCF994AEA58023
                                                                                                                                                                                                                                        SHA-512:AEF13497EC93C68AC4714FA6D1584BA3FFB05035483A1AD51F2F56272F530E4A8F830201151321DB85EA31E31EF86609FFD69115180931169CCC78FF8051305D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....|...p......................................................."....`...@......@............... ......................................|...|).......(..........0)..T...............................................................H............text....z.......|.................. ..`.data....f.......h...~..............@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.e.x.t...R.e.g.u.l.a.r.E.x.p.r.e.s.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):125208
                                                                                                                                                                                                                                        Entropy (8bit):6.6926595622420795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:EWHXI3rkKaiG9fxBFXRPxlhzKhtTwg8AHWDV5ydNLnM:H33Z95BFXRplhOzwDDUNQ
                                                                                                                                                                                                                                        MD5:9FAC44D3F1D3714F6BCDECBC911BF634
                                                                                                                                                                                                                                        SHA1:F5FCA532CD5A29E9F41FE5FEEEB5CD1EABA42DFD
                                                                                                                                                                                                                                        SHA-256:6C05C1BF3E425FE11833522D910EC9474345102E794CB3C4A05377F28DEB0D5E
                                                                                                                                                                                                                                        SHA-512:262065DF3C55D85629E9A57AFFEC41E4DF8AF5577131F5318124AB8D9B68894A1EC8D788CAC0A25596C6D20B50B9BAC0D2DE9E5B098D034FC14CA9558D43F7D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........*............................................................`...@......@............... ......................................T7...........)..............T...............................................................H............text............................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...t.....0.0.0.0.0.4.b.0...8.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .p.a.s.s.i.n.g. .d.a.t.a. .b.e.t.w.e.e.n. .p.r.o.d.u.c.e.r.s. .a.n.d. .c.o.n.s.u.m.e.r.s...........C.o.m.m.o.n.l.y. .U.s.e.d. .T.y.p.e.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.7130883870672715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6NB+HYCHjXuHVdHDH/WcwHWqYA6VFHRN7KmZR9zpvl:sQnhFClKmT9zH
                                                                                                                                                                                                                                        MD5:0571ACC76195386BB9D7FEFCF854C263
                                                                                                                                                                                                                                        SHA1:51C8E70BE147A9C82D49B26B5FBE9BD2EF8369CD
                                                                                                                                                                                                                                        SHA-256:0199A3E5BC94A8DDDD07EF619683B1831B13084BDCB44D30CDF959A567B69A59
                                                                                                                                                                                                                                        SHA-512:EF886BE55AEF9293A2259433C4FBB405F8BDA6A67025E235D612AC341B1A8AB3920A8B59F3E87E466300A8EC62C5813C6673F268311C967C98590061ACF2F17D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............"!..0.............n*... ........@.. ..............................-.....`..................................*..W....@...................(...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ......................................!.z.e'C.._.o..p..Z.b..K1.V.F.X...J..z..'F......d.+...0..."..._._.....k...m~^biT....l*......(......4y9.bV?P...Q.>...c.....vBSJB............v4.0.30319......`.......#~..x...H...#Strings............#GUID...........#Blob......................3......................................................4...........7.......c.........t.....}.......c...V.....{.................9.....................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):505624
                                                                                                                                                                                                                                        Entropy (8bit):6.776900991764264
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:95En4vc03uPIhST/NO/bT8jM5REzxEQRChwMeVB8v3Gu/L2SJESGskfT5v3P4m9J:95sEqChwMyB8fGdSSvBb5v3xeNEd
                                                                                                                                                                                                                                        MD5:BE2332F27FECA6E279C382151EB1F6B1
                                                                                                                                                                                                                                        SHA1:31E2F490BA6EC094FC894480D18D62FDC32993B8
                                                                                                                                                                                                                                        SHA-256:A42B2F43B7CEA67E6ED83EAAF02A487EF22EE4891ED355654B899CE9C5D3062B
                                                                                                                                                                                                                                        SHA-512:05962BCCD50DA22CD9500C3F57D4AB86BD351AD6069F30B494E3DB7DB5841FC0689092DD2C7243A11A0A853B763121EE6CA9F3B3CD693B7D3FD6BD9F05234C98
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(............." ......................................................................`...@......@............... ..................................l.......HB.......)..........x"..T...........................................................p...H............text............................... ..`.data...J...........................@....reloc..............................@..B............................................0.......................\.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........t.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...P.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.P.L. .D.a.t.a.f.l.o.w. .p.r.o.m.o.t.e.s. .a.c.t.o.r./.a.g.e.n.t.-.o.r.i.e.n.t.e.d. .d.e.s.i.g.n.s. .t.h.r.o.u.g.h. .p.r.i.m.i.t.i.v.e.s. .f.o.r. .i.n.-.p.r.o.c.e.s.s. .m.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16048
                                                                                                                                                                                                                                        Entropy (8bit):6.806161371697177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sz05p091rcmeD9RhGWSgXWhX6HRN750gv/6fR9z+AnVRZdn:sgAkZ6W5O9zhnLn
                                                                                                                                                                                                                                        MD5:2E73D00493B815F11A05C3F63CD4C0DF
                                                                                                                                                                                                                                        SHA1:24EA414EEF67A44D342CBAB0E154E4A6F8AF1E7B
                                                                                                                                                                                                                                        SHA-256:CF03542DBC9EE66F39B1F7FF1F3C140FFDEB95995D852E2491EF347F291C2957
                                                                                                                                                                                                                                        SHA-512:C9A9446033D4948AAFD99BB22CFA2C9D877CFAFAE63709229C6D12CAF087BEC8FDE12E6AECDBCFBE646065CCB5C55C80927680DFE4DB74D8DC96A03565CBC8FD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............+... ........@.. ....................................`..................................+..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................a.J..!....>..@..b..=..7u..E...D.b.......Y ~...s=,P&.A......n6.PX......@.._;.{f.....Gw.x.UY....Q......m..x..%J.3e.C.1.Q.W.)BSJB............v4.0.30319......`.......#~......8...#Strings....(.......#GUID...8.......#Blob......................3..................................................z...v.z.....H...............G.......[.....[...............]..........._...........9................./.z.....p.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):139024
                                                                                                                                                                                                                                        Entropy (8bit):6.704071507025856
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Sd+D1EGnNfGAKUDXxT3LBzdQZ4/FJg9G5jR291oVcJ5u5:u0yGNGAKUbxxzKZ0UaC5M
                                                                                                                                                                                                                                        MD5:871F001E647F2E6D7551532D9EE70D2D
                                                                                                                                                                                                                                        SHA1:54CF7E2831EE44826FC58235C3061CB51C2FEAFB
                                                                                                                                                                                                                                        SHA-256:5B1A7C891F6ADD857693B9714C56557F1001157F563E6FEF52379FA78EA5BFE8
                                                                                                                                                                                                                                        SHA-512:6D54B13688A72FA3291FA696B9525A4FAB7C50F35C35935F08AD5E326ECE4E15B4F1DE379F9B85BD69D543407662115ED26D94EB5C83E09CAE0DF2B644A61835
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q[U..........." .........*............................................... .......!....`...@......@............... .......................................;..(........)..............T...............................................................H............text...b........................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g...T.a.s.k.s...P.a.r.a.l.l.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17176
                                                                                                                                                                                                                                        Entropy (8bit):6.719573029193257
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xKJvCj4AG3tNKouqFC+TD9WHszWhEX6HRN7tce2R9zEc1C:xKNCj4LNHuk9WfK9zHA
                                                                                                                                                                                                                                        MD5:197A66A19CA592B21A8FF96863C5F0C0
                                                                                                                                                                                                                                        SHA1:E6C06A1E76583E2DA4705EF43875F955296EB039
                                                                                                                                                                                                                                        SHA-256:0DAFA5A7D8311AA41E2E40CA3E279D8ED46B8723F7AC871ADD9FBC9CFD728292
                                                                                                                                                                                                                                        SHA-512:A01233DE285889C9577E632B20F882D695C99338200F31C832EB6C8468E81F5F01E497C576E831AB23EA2E4DF78D8A248443546FCA95BBA490792A043FF2AF09
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0............../... ........@.. ....................................`.................................h/..S....@...................)...`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H........ ......................P ........................................L...j......%g S.....|.1jvF'..V.Ht..E.>Zu.[.;M..U|..&..(.(V|]..............cn&z# Pzl.b...."......v.}..y..J=g.~..w.''H..BSJB............v4.0.30319......`...P...#~......|...#Strings....,.......#GUID...<.......#Blob......................3................................/.....Y.........\.7.....7...u.....W.......&.....t...7.....@...........[...................................|.............7...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.743184429618755
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hz2EoZVkD4WcU7WlYA6VFHRN7zErtHNsAR9z/4K:FwuGFClzKts89zQK
                                                                                                                                                                                                                                        MD5:42EAEAB968F6373477713CA452CFAAEB
                                                                                                                                                                                                                                        SHA1:E0AD261919F5810907B3359E586A00EC80A94804
                                                                                                                                                                                                                                        SHA-256:B25C3DC708B65DE0393F7E450105A71B480F2A5D1F8CF0E8C8580E20A5FBCBB0
                                                                                                                                                                                                                                        SHA-512:26757C8388B3D2751138F136D25110AF43ECEAF4CD2F01D5D2F113E7990F0CB98C3832B767E91F283FA215394C278365CA19C5C397641F105B325B8088063FB8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0.............>+... ........@.. ..............................Ve....`..................................*..W....@...................(...`......4*..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ +......H........ ..d...................P .........................................~?....._h.ys.N.../.8..A......h.Y...Z...C..8..fW...$.........4v..\.48F.H.L.=..-7}...._..P.]..0?.$..}.d.xX.%\.......S.._MBSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................].........U.@.....@...n.....`.............y...0.!...9.!.........T...................................u.............@...........

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.696655038011177
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:duJ92HRT5BgWEIvWqYA6VFHRN7jD/6fR9z+AGs:duSPVFClw9zhGs
                                                                                                                                                                                                                                        MD5:31939565A9F07F3F49C54FAD45801A00
                                                                                                                                                                                                                                        SHA1:65BA7980289BD49EF02850CE99D8B3925DEB6CED
                                                                                                                                                                                                                                        SHA-256:6DE1F9CD04748D01103B2CBBEAF8E9FB671F9ACA79E8A1D68D741BA3FD504B72
                                                                                                                                                                                                                                        SHA-512:0874344B998AF7178A84AF77B9E855C9202957F6519204F7EA45D3DEAE080D46166695D8AB6ABE216C9E92EEB92FDC52A75D985ABB9921CEAA505DFDF072DF29
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8.U..........."!..0..............*... ........@.. ....................................`..................................)..O....@...................(...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P .............................................0`<...Z%b*.D.\..\[$F...>..HX.h.DY.6.[.......f........./..C......O..S..#.&P....N....}..A..{E..'.....S.;6..|tY...yK.)BSJB............v4.0.30319......`.......#~..d... ...#Strings............#GUID...........#Blob......................3......................................P.........7...........P...........{.............................6...........p.......................W.....d...................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.822464705364611
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pf6juqM5MWMWsXCW/dX6HRN76y/7R9zb3J:MuaRW/F9z9
                                                                                                                                                                                                                                        MD5:E507D8F4299A16AEBDF20F8C226D7721
                                                                                                                                                                                                                                        SHA1:8D97F1AE505F72B59C939C55D4C0EFACD46D4525
                                                                                                                                                                                                                                        SHA-256:F3651DE4AEC67E4C937CB219AFD0C07B2338B8D8FAF3D3636B8C678C3E3DDC33
                                                                                                                                                                                                                                        SHA-512:84E9265E59B58BEC360FDBD9A17D1DD8BA2245FEA11DC66F352BB5ECECA3409AE5568B8A620FCB39F5F4E2FF046C7E11EAA492ADF386336EFA655BF3BC799383
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k............."!..0..............)... ........@.. ....................................`.................................T)..W....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................@j.Q...FR.n...Y.......ja..Z$.P.......p..w.....(..*....#...?...xr....n.].(..Mm..iy..ws..h...t.7.\..u..u..k...C..I..+.<`<(.FBSJB............v4.0.30319......`.......#~..<.......#Strings............#GUID...(.......#Blob......................3......................................(........."...........;.y.........f.......C.................J...!.J.....J...[.J.....J.....J.....J...B.J...O.J...v.............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):80160
                                                                                                                                                                                                                                        Entropy (8bit):6.552617630589504
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:xk5Rj1Ku+ydo98uGxdUJpRH7AveQWA3zg:xk5Rj3o9wxdUrKveQL3c
                                                                                                                                                                                                                                        MD5:B754A2BFD575ABDBA9F77D1D6BF6980E
                                                                                                                                                                                                                                        SHA1:1D21B27B5112887AB72DDE91691C69D87C8F3282
                                                                                                                                                                                                                                        SHA-256:6DAAD511BB06971C76A7007D31DB88013876A9BC07B899C78536770C1D901983
                                                                                                                                                                                                                                        SHA-512:85B9A08D7CA1279CA2EC579FBE48E9E5E4BB547D865BAEFCB37925D31453160E681E2A4B46231F6B315CBA0AA5892BAE4FC98CF882A708D1A8E4FB61A721F0CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................0.......l....`...@......@............... ..................................d....*..\....... )... ..$.......T...........................................................h...H............text...K........................... ..`.data...............................@....reloc..$.... ......................@..B............................................0.......................T.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........l.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...H.....0.0.0.0.0.4.b.0...:.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...J.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...T.h.r.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):351408
                                                                                                                                                                                                                                        Entropy (8bit):6.645438345682704
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:RtgASVaxfSelpxZvc/sQQHrnAIg5UotQKm9Wm:Ru1MfSel9cSbeusu
                                                                                                                                                                                                                                        MD5:6EB30716DB16FCAE13DE2878B364834F
                                                                                                                                                                                                                                        SHA1:FC5F0E68985BAD853CCCD4161240301F89BF1EBE
                                                                                                                                                                                                                                        SHA-256:1154CFA28DDD245FDF6A66CE66F9F2AEC217FA5CBE85FE43D24203BFCC8E9D56
                                                                                                                                                                                                                                        SHA-512:7829A405590415366DBFA82AE688728E0D42A844DACC0BC2BE6050223743FF896B92A43C1756BD2960F31B52154E2DD0A460C9059AA09B3EC82B223D642DCFB6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....a............" .........X...............................................P............`...@......@............... .......................................z...3...4...(...@.......*..T...............................................................H............text...N........................... ..`.data....O.......P..................@....reloc.......@.......,..............@..B............................................0...........................L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...L.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.r.a.n.s.a.c.t.i.o.n.s...L.o.c.a.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...\.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17160
                                                                                                                                                                                                                                        Entropy (8bit):6.671296739666298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:p5uFRferVWzniWQMYA6VFHRN7TbV2R9zEx0H:3uFRam0MFClnVK9zou
                                                                                                                                                                                                                                        MD5:D07CB5BEB58C160D2C91CD7BD180279A
                                                                                                                                                                                                                                        SHA1:4B8ED2324043AB385754645768735CC18381B484
                                                                                                                                                                                                                                        SHA-256:B1758317695CA37A11A6B28D6580BEAA3E24B84C31BFFE08268B1B9D1A3EF66E
                                                                                                                                                                                                                                        SHA-512:DFD5DE8F66D4B743E7633A4C7FDBDAA6A9AFA0D886B17540D0DC7991294554E1E37E6BF690BCEDABA6E2DE51620F01B87BF08AA5F4A42AB99DED342BCD46F473
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....x..........." ..0.............j/... ...@....... ...............................W....`................................../..O....@..x................)...`......8...T............................................ ............... ..H............text...p.... ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B................K/......H.......P ..h....................-......................................BSJB............v4.0.30319......l.......#~..d...4...#Strings............#US.........#GUID...........#Blob............T.........3....................................$...............f.O.....O...^.<...o.................H.....*.................+.......................r.....,...........D.$.....O.................6.....6.....6...).6...1.6...9.6...A.6...I.6...Q.6...Y.6...a.6...i.6...q.6...y.6.....6. ...6.....6...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15640
                                                                                                                                                                                                                                        Entropy (8bit):6.8271170909193595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ztCdcH/3WtLGW/0X6HRN73SVXC4deR9zVjoxE:zt1WcW3SVXC4dC9zVjGE
                                                                                                                                                                                                                                        MD5:F741922F1BE081E21EDA4B2914767B53
                                                                                                                                                                                                                                        SHA1:F9ED958AF5E6C03AF36B96B186CD7E401C4052AC
                                                                                                                                                                                                                                        SHA-256:8DA6AB511A6534D713978692672EC276F314A47CB5DDC14C86504AE60C2FEA47
                                                                                                                                                                                                                                        SHA-512:7F0FF4397FDA2F9431B7B6D9293CA67337F0A14BB6413657E5930444564CA9AD782BA9BCD8D58051DA9463C15FA976DDF6C468EE2AECF16461FE494C01EA20C8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ..............................e.....`..................................)..K....@..h................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................)......H........ ..,...................P ...........................................:....z.5......c.1..xy..x...?.I.c...$.:~o....Q..h..c......b.E...Yi...P;...*............~.....gI'...]..w.y...M..x..j.C.{BSJB............v4.0.30319......`...@...#~..........#Strings............#GUID...........#Blob......................3......................................]...............%...................C.....s...Q.z.....z.....z.....z...4.z.....z.....z.....z.....z...........i.................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):53008
                                                                                                                                                                                                                                        Entropy (8bit):6.688774065052827
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:AwDvSbAkyFFQk7Y32OoPXCcPAhiTEp4zg:ASvSb0Fg2OdNhwXs
                                                                                                                                                                                                                                        MD5:F5962FB172B47E10C89F6C1B8D4783F9
                                                                                                                                                                                                                                        SHA1:62619E522B88328038800E6A38A0084E8F17E934
                                                                                                                                                                                                                                        SHA-256:917175687C1BD5869B905A142D63D22BAF42A8BA362096864DE7A66F69047EC1
                                                                                                                                                                                                                                        SHA-512:0771E5854C791BC839973E892A1CA90E1FFD3A3FD86D9D7C64FFDAA2A5D0B23EE4D1CB6C56DACADCBFD8F1D3416F4061226F9EAF861E4C020200E38730A082C2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ......................................\!...........)..........8...T...............................................................H............text.............................. ..`.data...&...........................@....reloc..............................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...W.e.b...H.t.t.p.U.t.i.l.i.t.y.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16136
                                                                                                                                                                                                                                        Entropy (8bit):6.716371448586581
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3EBNDT7WV9o9W4YA6VFHRN7KS9/7R9zb3p:3uxdFCl1F9zF
                                                                                                                                                                                                                                        MD5:3963AEC41EFA623195DC1B54BCADE00F
                                                                                                                                                                                                                                        SHA1:248D5777CB7DADB14613AA943120FE5DCC83315E
                                                                                                                                                                                                                                        SHA-256:5AA37A176F95A69D752260EF02DFDA1032BC2874232C4F6136CDD63B97A122D6
                                                                                                                                                                                                                                        SHA-512:07F393245A075E135C33EB7DE8E4432EA8AB3128CC6584019389EFE484C0BE921E6162F86ACA7A634C1482ED1E23EAA92686CA4543D1B2F9BC17AE32A3290370
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,............." ..0.............z*... ...@....... ....................................`.................................%*..O....@..8................)...`......X)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................Y*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....0.......#US.4.......#GUID...D...D...#Blob............T.........3....................................................6.Y.....Y...X.F...y.......................$...........o.......................V.....l.................>.......Y.................@.....@.....@...).@...1.@...9.@...A.@...I.@...Q.@...Y.@...a.@...i.@...q.@...y.@.....@. ...@.....@...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.684122110106261
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:dyaMtw0IWEXSWKkX6HRN7YDcTR9zi2elD:nldrWYAV9zpeB
                                                                                                                                                                                                                                        MD5:82991C800672C8C8F6EBE3E91C497480
                                                                                                                                                                                                                                        SHA1:43FB34B32C01418A5B58C093CBB87C6775601B2C
                                                                                                                                                                                                                                        SHA-256:5E7316F534DD1E38D31F780C962DD66A208C985766C4B9368EB8CABE550B04DA
                                                                                                                                                                                                                                        SHA-512:407E343770005B1D15FE2DA8EB6EA04D4537FE817A71B4010FC638620DA236FD0C56A1D097774D5CB74FB141888C3793FCADD438E64CB49D27308F491B94BDE3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...aT............" ..0..............,... ...@....... ....................................`..................................+..O....@..X................)...`.......+..T............................................ ............... ..H............text...4.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ..4....................*......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID.......@...#Blob............T.........3......................................................Q...&.Q.....>...q.......D.........m.....y.................P...................................4.............Q..... ...........8.....8.....8...).8...1.8...9.8...A.8...I.8...Q.8...Y.8...a.8...i.8...q.8...y.8.....8. ...8.....8...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16648
                                                                                                                                                                                                                                        Entropy (8bit):6.676823175680729
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:KhMvGUhsO/IOW1l4WOpWjA6Kr4PFHnhWgN7acW6ZusyttuX01k9z3A1ipuI:jRsYIOW1l4WOYA6VFHRN77gSR9zWipN
                                                                                                                                                                                                                                        MD5:9B199D5A54F72278382972497F097E1C
                                                                                                                                                                                                                                        SHA1:2FC93773CE859318FEA293E1553616E5545D1973
                                                                                                                                                                                                                                        SHA-256:ADA298EE6BAE973FD1CC6E010B0DF89A137E144EDB6BF2B2EB8F5C9F516B0767
                                                                                                                                                                                                                                        SHA-512:30E4917B014728E28B5C21A91BD1F0DA27D09083576E6E4091B19E61CA7E7F199EB568B82DD94F5A2AF9EF02211231395D3C39B4874E4B81F217972995350845
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ...............................+....`..................................,..O....@..X................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ......................(+......................................BSJB............v4.0.30319......l...l...#~......<...#Strings............#US.........#GUID...(.......#Blob............T.........3..........................................f...........+.....+.........K.......;.....z...d.....p.................G...................................+.......).....+.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22296
                                                                                                                                                                                                                                        Entropy (8bit):6.362401884446514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:u125qkxK67ex4FCcuRW1dAWepX6HRN7FR9zRYeb7V:UKLPfIWX9zf
                                                                                                                                                                                                                                        MD5:A3A7DF1630D2F94A404911C42EC86548
                                                                                                                                                                                                                                        SHA1:A36036B911CE2E458E0CF3D7F88DC21C6C745252
                                                                                                                                                                                                                                        SHA-256:7CC3FB7B986824999BFA8495606B73FDB2BF4FA550B2B2969087D7A3A438129A
                                                                                                                                                                                                                                        SHA-512:0465AEE62552F9BA8F4B10236479749929923B052889A91802FEBE2001E5B27A1579791F584172EA651615CB597B50B78049859029960153BB78F147ECC35E8B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U............."!..0..$...........B... ........@.. ..............................2.....`.................................LB..O....`...................)...........A..8............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........ ... ..................P ......................................$..U...,-....d.l..a.../'.....&.~..ci..@O88.2.S&....u\1.a...N..t......../+B.<O.M..*T7...8.4....t..T...U.....a`.......BSJB............v4.0.30319......`.......#~......8...#Strings............#GUID...(.......#Blob......................3............................................................G..... .......b.....i...f.....-.........................................[...............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16664
                                                                                                                                                                                                                                        Entropy (8bit):6.740295761391647
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:s77MLW7MWEqHWdeX6HRN7V5HtcTR9zi2eN4:sfMkpEq3WVFWV9zpem
                                                                                                                                                                                                                                        MD5:F816E514999F8058A7314CB848A829C2
                                                                                                                                                                                                                                        SHA1:9E2B4CC7AEAB7DEA40FE839A1F60BE83092A62E2
                                                                                                                                                                                                                                        SHA-256:B3D731DBDD4690E8EE2C2DDF3863DF96EFC075048A2014CF27FCB15826E9A354
                                                                                                                                                                                                                                        SHA-512:4B1C5D989D04CC8B790A98A3B658B657E331F7196EB67DF1E83E6915792677971CA222CB51F692DFF79D712378E49ABDFB77E716C37BAEB5985F73656AE58287
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0..............-... ...@....... ..............................kY....`..................................-..O....@...................)...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l...x...#~..........#Strings............#US.........#GUID...........#Blob............T.........3..........................................p.........$.F.....F...r.....|.......<...............*...........]...........0.....M.....D.................s.....D.....x.F.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16152
                                                                                                                                                                                                                                        Entropy (8bit):6.763138114329992
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3rxp3W/edW4WpWxNzx95jmHnhWgN7acW7lwKUWX01k9z3A/bsi:1p3W/edWFSX6HRN7b2R9zEN
                                                                                                                                                                                                                                        MD5:4A97F6106712E9C5EEF01AE7B67266E6
                                                                                                                                                                                                                                        SHA1:2F22F7990DD4071D32DDAEA2540F82226DCDE930
                                                                                                                                                                                                                                        SHA-256:D125080F4D56BBFB3D41F40AC47A5D24C7C62EF52442D1219A0076DEB4C9AB72
                                                                                                                                                                                                                                        SHA-512:95D7E51BD942B999BA03A0132B1CFC89DF677646A0DFE18D4A64A81DC4336170A47B7CEA5FAD6133530CCA7C13D54293D35C37D2A7DD93F957AF52BC570A20D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1l..........."!..0..............+... ........@.. ...............................7....`.................................L+..O....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................uL....M..*2.....L..L.1./.......6.u.?......L..DK.^...jp.K..:..i.K._.re.Iq.`b.7....C]..y.j`U..Of.!..f....|)..n..$..\....o.3vJBSJB............v4.0.30319......`.......#~..l.......#Strings............#GUID...,.......#Blob......................3................................................L...............................8.....L...p.L.....L.....L.....L.....L.....L...l.L.....L.............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18080
                                                                                                                                                                                                                                        Entropy (8bit):6.63523384035834
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:tW0TeWp4DT8VGTYA6VFHRN7dJ/R9zphxF:Rp4DAqFClHZ9zj7
                                                                                                                                                                                                                                        MD5:1A0C9FD9FF7364B200A5A3A4F7697575
                                                                                                                                                                                                                                        SHA1:642B759B7F295B75C383C32E9A14E6662CEBF8D3
                                                                                                                                                                                                                                        SHA-256:13BC6FAF450D3EFAD855E2C18BD0A042C2F19F71BD4A6624F932D644819D336F
                                                                                                                                                                                                                                        SHA-512:F59563D3779A01F6199657F813CE9C598368AF918DBBF3CB91A0AC5CC1887D8A2E36BFD67A2CE10568D7DB942CF1F60DBC1B9048AB05A7BE4DCEB5BC4361E625
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...?P|..........." .........................................................P......n.....`...@......@............... ......................................0...H........(...@......P...T...............................................................H............text............................... ..`.data...?....0......................@....reloc.......@......................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...N.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...X.m.l...X.P.a.t.h...X.D.o.c.u.m.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...^.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16032
                                                                                                                                                                                                                                        Entropy (8bit):6.708050473788568
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2/lRiA6fDOxDWB4vWifYA6VFHRN7JKDX+iR9zZOdih:OPKkTFClJKDuO9zS+
                                                                                                                                                                                                                                        MD5:3EA28D1CFA9BC0837699982788065BB8
                                                                                                                                                                                                                                        SHA1:6567890ED00E87AAC9FC908B08FD47C9DF5C3382
                                                                                                                                                                                                                                        SHA-256:6C6099617CBFA7F072F1DFA910002C19FC53F6F6F25C3440368B55184B4FB00B
                                                                                                                                                                                                                                        SHA-512:51583767F241F621CA480986C044358059AD1419FD78F142BD4DBE32F9C154FAC736BA4E05ECC94C3817D5DC77D21AF0B5B9308952F0DA9E343939965260221B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r............"!..0..............*... ........@.. ....................................`.................................|*..O....@..h................(...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................*......H........ ......................P .........................................0v+.....W.....7.,.U.6.?#O.(F@.)2.....v.a.p...X.....&[.:.q.6........<..,A^.w.wU......#..fx....5.-..2..J......6f...=rBSJB............v4.0.30319......`.......#~......\...#Strings....X.......#GUID...h.......#Blob......................3......................................'.........C...............................d...%.{...g.{.....{...|.{.....{.....{.....{...c.{.....{.............................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16152
                                                                                                                                                                                                                                        Entropy (8bit):6.788762477043187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:6RGxGfj14WA9pnPUWoWhWxNzx95jmHnhWgN7acWyILyttuX01k9z3A1iGHl9CN:ksGfjiWeJsW1KX6HRN7A2SR9zWi49M
                                                                                                                                                                                                                                        MD5:A8C4B4B883ABD397C940CCA54E6BE11E
                                                                                                                                                                                                                                        SHA1:E01F75FC94F7B6A01985A750A65966C0231B8FE8
                                                                                                                                                                                                                                        SHA-256:56CFB3A3DC6876128F9404DA3B80242FADD11B8996D4AF39652BB408A0076451
                                                                                                                                                                                                                                        SHA-512:5E5A0978570ACD51C1DFD41413D15243420119B09AF829449EBDA7BFF688A9F1922B156068B8F88F013830265164677B61FD330EE3E81AFDA29A5774B1AF77D1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q............."!..0..............+... ........@.. ..............................z.....`.................................|+..O....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................^...K=....T..t..R.(Q.'.V.K...<.pR.!G.....c`...c2.CyM..V.xuH...xv3(.IM]7...^r.R.<..q..3w2M.J......j..0..)..!{.1H..Z..7BSJB............v4.0.30319......`.......#~..\.......#Strings....H.......#GUID...X.......#Blob......................3......................................#.........P./...../.........O.............\...2.....g...................................p............./.......................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18200
                                                                                                                                                                                                                                        Entropy (8bit):6.622578908813458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1e7gLgTJNTXxhuuWpovWAWGWxNzx95jmHnhWgN7acWAYzyttuX01k9z3A1if37:Q08rBhPWpovWNNX6HRN79SR9zWi/7
                                                                                                                                                                                                                                        MD5:E9B2D64A6720117CE7AA1163D2BF6C70
                                                                                                                                                                                                                                        SHA1:B54E1A857603CB0EE0942BA9361C569EFE407FE3
                                                                                                                                                                                                                                        SHA-256:A26D2CE64BD85D4A33404F896AD6B52C2EA0429DCF87E47C62EFC81828C00B5D
                                                                                                                                                                                                                                        SHA-512:E56E4B8F27D87D6FD96CDCF277A1BF7FC06B37BB9D444050390B0EE401E8A28221077B5B8AE15F8666C04AEEBA957E44BDB2733DF71ED118EB3B269DF6F4D42F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ZG..........."!..0..............3... ........@.. ....................................`..................................2..W....@...................)...`...... 2..8............................................ ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................3......H........ ..P...................P ......................................2......R7..K!..%...].l(% ......K......!....3...X.......6..p$../.'t...n..p/.:..B.|....X.....vly'e...3..=m#.k-E8C.%u....BSJB............v4.0.30319......`.......#~..(...p...#Strings............#GUID...........#Blob......................3................................J.................................+.....F...........N.....H.........................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24848
                                                                                                                                                                                                                                        Entropy (8bit):6.215678969244202
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DV/Mc95qohA8bhUVGKOudE6WK9jsWSYA6VFHRN7qCKN9R9zmwje7pk:DV0chOpfsFClqCk9zLjUO
                                                                                                                                                                                                                                        MD5:0E9B0C0CBF26962F5E9170E8CBEDB4D8
                                                                                                                                                                                                                                        SHA1:C524BEB25F7F9F4B7421C76E0F93546B239F0F64
                                                                                                                                                                                                                                        SHA-256:A5694C5A91559559BD8510F6906282EB640512C5B76EA2C08A56166181706AE0
                                                                                                                                                                                                                                        SHA-512:7F86D23616637175B695DB604C60B4D6488104E474A6A1E118DEDD3A24722B0CF2190A6FFE509A451073EE68EB99CC0C7557486C1469A35DFE9098795D5CA222
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.6..........." ..0..............L... ...`....... ....................................`..................................K..O....`..8............8...)...........J..T............................................ ............... ..H............text....,... ...................... ..`.rsrc...8....`.......0..............@..@.reloc...............6..............@..B.................K......H.......P ...*..................lJ......................................BSJB............v4.0.30319......l...@...#~..........#Strings....L'......#US.P'......#GUID...`'......#Blob............T.........3..........................................P............... .................k.....H...........S.................G...................................+.....m.S...0...................x.....x.....x...).x...1.x...9.x...A.x...I.x...Q.x...Y.x...a.x...i.x...q.x...y.x.....x. ...x.....x...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50976
                                                                                                                                                                                                                                        Entropy (8bit):5.747340839729143
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bQuoy1c6A2ZX8TRNH5JVbOd502zq1TntVaO6fWRHDRxw9zbkG:bQuoO3ZX8Q5jzC3azfWtIzIG
                                                                                                                                                                                                                                        MD5:F4AA8DA1F6C1EA181899961A43E94611
                                                                                                                                                                                                                                        SHA1:8B4F2CA7CCD76D8D51710E1ACB9DB77FAECCF76F
                                                                                                                                                                                                                                        SHA-256:6AE23353B15E629F945EB03DE5FA3E14F264518CBA9B3872F98EB23DEBFB6B19
                                                                                                                                                                                                                                        SHA-512:7432D12F9840ED710F6FE68CCFD5FB7321FD93FA4384144336B5F79EB6903CD461261FDDE16D16A7446853FA4BF3EE77114BE201FEB433CFAB069F71590C567A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................4.....`.....................................O....................... ).............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......P ......................`.......................................BSJB............v4.0.30319......l...$;..#~...;...R..#Strings....4.......#US.8.......#GUID...H.......#Blob............T.........3................................/......................=.....=....J=...=......V...}.....h.. ..... ..... ..J.. ..... ..... ..... ..1.. ..j.. .., AF..a.AF.....R..e..=.................;.....;.....;..)..;..1..;..9..;..A..;..I..;..Q..;..Y..;..a..;..i..;..q..;..y..;.....; ....;.....;..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17168
                                                                                                                                                                                                                                        Entropy (8bit):6.671236708882877
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gpmduasEWQ9EE6rWVZcW4YA6VFHRN7I2IR9zqIcx:g0dJnxCFClrU9zY
                                                                                                                                                                                                                                        MD5:9C24FB2625D3BE532FE098126BD60FF6
                                                                                                                                                                                                                                        SHA1:336F6676FBB339867B1F147679E825222C0BA51D
                                                                                                                                                                                                                                        SHA-256:3CFF84BE953E9791D90CFAC5B97913DD04D88BEBD5DAB42E650D6C102891B686
                                                                                                                                                                                                                                        SHA-512:E493486CFD2C5AC9206F7FF0EEC2A59FC1051200A576C0E69B067411E51F606D3E2D0D89F4DB8FFB0B8BB79C4A38ABF971AB35D335DC4F5CAF63E27BA37275EE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d..........." ..0............../... ...@....... ...............................R....`.....................................O....@..8................)...`.......-..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p-......................................BSJB............v4.0.30319......l.......#~..$.......#Strings............#US.........#GUID.......D...#Blob............T.........3..........................................f.........3.................'.....0.......v.....................l...........I.....f.....S.............i.....i................. ...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.459775574843526
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:SOQWvhW/WYnO/VWQ4SWc0NsxZAqnajT9CJIC:SjWvhWvUsNs/Al39AL
                                                                                                                                                                                                                                        MD5:681C84FB102B5761477D8DA2D68CD834
                                                                                                                                                                                                                                        SHA1:FD96CF075A956FBC2B74E1ECC3E7958163B58832
                                                                                                                                                                                                                                        SHA-256:F0F7CB2A9FFCCB43400DB88D6BF99F2FCC3161DE1AC96C48501D4D522C48C2CA
                                                                                                                                                                                                                                        SHA-512:C41A62F8D10290215B8A7F0DDCC27A1CF12A7453C2DAABEF75BD2CE87C4FFC87D74EDC8CAA1771BEDA0BFA26249CFE3C94D4AF50B22A5DECB6D282BD8A2C4BDD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...B4............" .........0...............................................@............`A........................................p...,............0...............0...!..............p............................................................................rdata..t...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.499619700582879
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:L6WvhWFWYnO/VWQ4SWssAtkqnaj6M07i5CK:+WvhW1UslWMui57
                                                                                                                                                                                                                                        MD5:039D612693E56CCF32AE81C99443EA77
                                                                                                                                                                                                                                        SHA1:0487AA5E7D283A8840F3005D1E24E8C9ED140974
                                                                                                                                                                                                                                        SHA-256:4E978EE035B72032D0B7693E09EED6E112DCED6965780BC3E6B8E024EA2366AB
                                                                                                                                                                                                                                        SHA-512:FFA56C73E977FFCEF7890AB6C3EC52E9827AF28B0552F11C48BB7CA16D37C2B7069FB7E03CEFB89F8679E3755BCC8C47344D0D9B91416C6D92CA7DB28C20240A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....=.........." .........0...............................................@...........`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20952
                                                                                                                                                                                                                                        Entropy (8bit):4.308560743366262
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1WvhW/WYnO/VWQ4yWxK2fvXqnajeCqN+6:1WvhWvU8XlX0
                                                                                                                                                                                                                                        MD5:2A8065DC6E6E60FB90B4B3F9E6BA7288
                                                                                                                                                                                                                                        SHA1:400A1F44CD4354DEA0117E79EC04B006D6141B36
                                                                                                                                                                                                                                        SHA-256:55E5F10D0DD9C85FF1C6DC7798E46B3A4422FB7EBC583BB00D06A7DF2494397B
                                                                                                                                                                                                                                        SHA-512:787E033E35AA357263639D97FDFE8A2EBC9F17865579BE13C14C0A4C2ED99432ED8EA79C5046D1B4B783BF5FCF7B713EFDD70FCA8445A7AFCB91CFDDC7F9D442
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...FBe..........." .........0...............................................@.......,....`A........................................p................0...............0...!..............p............................................................................rdata..X...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.314779945585029
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:JWvhWiWYnO/VWQ4mWAyTIl1PXEKup3JdqnajKsztG2:JWvhWYUQI/PX7aJdlGsztG2
                                                                                                                                                                                                                                        MD5:720DB2235C4193151FF8987F8A729135
                                                                                                                                                                                                                                        SHA1:038648798892203B506AB4664BAECA25F78BC43C
                                                                                                                                                                                                                                        SHA-256:092B72832C47F9C4EDCDE61F1A111C20EB73452984E0A6109482DE74EB03C34D
                                                                                                                                                                                                                                        SHA-512:CAAC89DC4FE10E7752B6F248623B34A47A77A750E62F0A558C760A8AD672D980AFC966A9E5696BA5C916E722FD221D305C4D2C49D5DDA0E4A768855886D4F3CA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...@4............" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.363620943088422
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:9m7xeiImxD3exWvhW5WWYnO/VWQ4mWACJXEKup3JdqnajKsztJ30:9m7xeiIFxWvhWuUkX7aJdlGsztd0
                                                                                                                                                                                                                                        MD5:ECDD006AAE56427C3555740F1ABFA8D6
                                                                                                                                                                                                                                        SHA1:7DFAB7AD873544F627B42C7C4981A8700A250BD4
                                                                                                                                                                                                                                        SHA-256:13BC8B3F90DA149030897B8F9F08D71E5D1561E3AE604472A82F58DAB2B103F9
                                                                                                                                                                                                                                        SHA-512:A9B37E36F844796A0FE53A60684BE51AB4013750BB0B8460C261D25FA5F3DE6CE3380044DDC71116825D130A724DF4BA351C2CFFCBF497EF1B6C443545E83F1C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......v.........." .........0...............................................@.......p....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.2939305898439235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:8gWvhWliWYnO/VWQ4mWCkJZH2vArqnajKsbTYjtZ:NWvhWlYUDuH24rlGsbTY5Z
                                                                                                                                                                                                                                        MD5:EB065ED1B5CABDBB90E2403B8564778F
                                                                                                                                                                                                                                        SHA1:5B511215EE0E347734FB727FAD6A0A959FF81BF1
                                                                                                                                                                                                                                        SHA-256:BB2D740333AFAEA2A73A163F95FA102D018CCD68DEF28B6815A2BE0696AB57DB
                                                                                                                                                                                                                                        SHA-512:E5FF38F28253FB31BF583131E23EF58AF60020AD1FB329986C8789FE351F4B73CB06109FBC4220678D93191B04DB353466F728534AA1FEBEDF150C491B8E7C65
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....cc.........." .........0...............................................@.......o....`A........................................p................0...............0...!..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25048
                                                                                                                                                                                                                                        Entropy (8bit):4.628757275210407
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1mtaNYPvVX8rFTsvWvhWmWYnO/VWQ4yW9AfvXqnajeCqKW:8PvVXhWvhWMU7XlX7W
                                                                                                                                                                                                                                        MD5:36277B52C64CC66216751AAD135528F9
                                                                                                                                                                                                                                        SHA1:F2A6740BA149A83E4E58E1E331429FA3EB44FBA0
                                                                                                                                                                                                                                        SHA-256:F353B6C2DF7AADB457263A02BCE59C44BBAB55F98AE6509674CFBC3751F761B9
                                                                                                                                                                                                                                        SHA-512:BE729194A0A3C4D70A6FFA8DE5C7F8BB3DDA1F54772F9AEFF4B9AA1D6756720D149613C5DCB911286B6C0181A264A4A2A8A4EB848C09AC30BA60B6FD10DD64C9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...!..e.........." .........@...............................................P............`A........................................p................@...............@...!..............p............................................................................rdata..L........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.328858083322922
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IAIEWvhWLIQWYnO/VWQ4eWletp80Hy5qnajsBk9:I5EWvhWLI+UJpslE8
                                                                                                                                                                                                                                        MD5:D92E6A007FC22A1E218552EBFB65DA93
                                                                                                                                                                                                                                        SHA1:3C9909332E94F7B7386664A90F52730F4027A75A
                                                                                                                                                                                                                                        SHA-256:03BD3217EAE0EF68521B39556E7491292DB540F615DA873DD8DA538693B81862
                                                                                                                                                                                                                                        SHA-512:B8B0E6052E68C08E558E72C168E4FF318B1907C4DC5FC1CD1104F5CAE7CC418293013DABBB30C835A5C35A456E1CB22CC352B7AE40F82B9B7311BB7419D854C7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@......p.....`A........................................p...L............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.41968362445382
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:lC+WvhWRWYnO/VWQ4SWHvD480Hy5qnajsBkffy2:4+WvhWRUGEslECl
                                                                                                                                                                                                                                        MD5:50ABF0A7EE67F00F247BADA185A7661C
                                                                                                                                                                                                                                        SHA1:0CDDAC9AC4DB3BF10A11D4B79085EF9CB3FB84A1
                                                                                                                                                                                                                                        SHA-256:F957A4C261506484B53534A9BE8931C02EC1A349B3F431A858F8215CECFEC3F7
                                                                                                                                                                                                                                        SHA-512:C2694BB5D103BAFF1264926A04D2F0FE156B8815A23C3748412A81CC307B71A9236A0E974B5549321014065E393D10228A0F0004DF9BA677F03B5D244A64B528
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....mR.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.329081455517674
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ZfWvhWPWYnO/VWQ4SWR7me4qdsxZAqnajT9CRixc:ZfWvhW/UNezs/Al39wiO
                                                                                                                                                                                                                                        MD5:3039A2F694D26E754F77AECFFDA9ACE4
                                                                                                                                                                                                                                        SHA1:4F240C6133D491A4979D90AFA46C11608372917F
                                                                                                                                                                                                                                        SHA-256:625667EA50B2BD0BAE1D6EB3C7E732E9E3A0DEA21B2F9EAC3A94C71C5E57F537
                                                                                                                                                                                                                                        SHA-512:D2C2A38F3E779AC84593772E11AE70FC8BCFD805903E6010FE37D400B98E37746D4D00555233D36529C53DD80B1DF923714530853A69AA695A493EC548D24598
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@......=.....`A........................................p...`............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.447714045651854
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:gxlAWvhW5EWYnO/VWQ4SWArSZBUuUgxfzfqnajmGYjB:gxlAWvhW5yUbSsIrlStjB
                                                                                                                                                                                                                                        MD5:2EDC82C3DA339A4A138B4E84DC11E580
                                                                                                                                                                                                                                        SHA1:E88F876C9E36D890398630E1B30878AF92DF5B59
                                                                                                                                                                                                                                        SHA-256:E36B72EAFFFFFB09B3F3A615678A72D561B9469A09F3B4891ABA9D809DA937A5
                                                                                                                                                                                                                                        SHA-512:6C1B195B2FABE4D233724133AE3BDF883F287B5ECD9639A838AD558159A07E307E7AE5E5407CE9229DCCDE4BE2CC39EC59506A5FB73B45D04B80330B55E2B85C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...)\Ix.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.368970650031484
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ODWvhWJWYnO/VWQ4mWbAcH2vArqnajKsbTY3:ODWvhWJUrcH24rlGsbTY3
                                                                                                                                                                                                                                        MD5:215E3FA11BE60FEAAE8BD5883C8582F3
                                                                                                                                                                                                                                        SHA1:F5BF8B29FA5C7C177DFEC0DE68927077E160C9AB
                                                                                                                                                                                                                                        SHA-256:FBB9032835D0D564F2F53BBC4192F8A732131B8A89F52F5EF3FF0DAA2F71465F
                                                                                                                                                                                                                                        SHA-512:C555698F9641AF74B4C5BB4CA6385B8D69D5A3D5D48504E42B0C0EB8F65990C96093687BC7EE818AA9C24432247AFAD7DF3BF086010A2EFCD3A1010B2FCD6A31
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@......5.....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.601897142725442
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:pTvuBL3BBLxWvhWcWYnO/VWQ4mW74j21EhqnajKsxX+:pTvuBL3BXWvhWKUBqslGsxu
                                                                                                                                                                                                                                        MD5:9A8AB7FE8C4CC7604DFF1FBFA57458AA
                                                                                                                                                                                                                                        SHA1:68ED7B6B5191F53B50D6A1A13513DB780AB19211
                                                                                                                                                                                                                                        SHA-256:E9A3D7F8A08AB5BC94ACB1EC1BFFDA90469FEC3B7EECDF7CF5408F3E3682D527
                                                                                                                                                                                                                                        SHA-512:05DAEABBCDE867E63FDE952213FFF42AF05E70AE72643C97060A90DCEA2A88B75947B6F503CB2C33938AFE36AD1BAFBA5008C1BBE839F6498CDA27DA549DAEE9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...P.1..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):5.116096564588074
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6naOMw3zdp3bwjGzue9/0jCRrndbDWvhWfUCBoliM:POMwBprwjGzue9/0jCRrndbwIJY
                                                                                                                                                                                                                                        MD5:DE5695F26A0BCB54F59A8BC3F9A4ECEF
                                                                                                                                                                                                                                        SHA1:99C32595F3EDC2C58BDB138C3384194831E901D6
                                                                                                                                                                                                                                        SHA-256:E9539FCE90AD8BE582B25AB2D5645772C2A5FB195E602ECDBF12B980656E436A
                                                                                                                                                                                                                                        SHA-512:DF635D5D51CDEA24885AE9F0406F317DDCF04ECB6BFA26579BB2E256C457057607844DED4B52FF1F5CA25ABE29D1EB2B20F1709CF19035D3829F36BBE31F550F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....3..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.483681194749599
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:WqfWvhWoWYnO/VWQ4mWKNe4XEKup3JdqnajKsztPO/B:WGWvhWWU9X7aJdlGsztP2
                                                                                                                                                                                                                                        MD5:7DDDA921E16582B138A9E7DE445782A0
                                                                                                                                                                                                                                        SHA1:9B2D0080EDA4BA86A69B2C797D2AFC26B500B2D3
                                                                                                                                                                                                                                        SHA-256:EF77B3E4FDFF944F92908B6FEB9256A902588F0CF1C19EB9BF063BB6542ABFFF
                                                                                                                                                                                                                                        SHA-512:C2F4A5505F8D35FBDD7B2ECA641B9ECFCB31FE410B64FDE990D57B1F8FD932DFF3754D9E38F87DB51A75E49536B4B6263D8390C7F0A5E95556592F2726B2E418
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...dIx..........." .........0...............................................@.......:....`A........................................p...l............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.417647805455514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RWvhW0WYnO/VWQ4SWKeE+Ztc80Hy5qnajsBkUqS:RWvhWiUxslE5qS
                                                                                                                                                                                                                                        MD5:BF622378D051DB49BDC62ACA9DDF6451
                                                                                                                                                                                                                                        SHA1:EFD8445656A0688E5A8F20243C2419984BB7743E
                                                                                                                                                                                                                                        SHA-256:0BFEDB0D28E41E70BF9E4DA11E83F3A94C2191B5CD5DD45D9E9D439673B830CE
                                                                                                                                                                                                                                        SHA-512:DF32D34C81FDE6EEF83A613CE4F153A7945EECFB1EC936AC6ED674654A4E167EC5E5436185B8064177F5F9273D387CA226C3C9529591180250A9C5C581EC6F70
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....2............" .........0...............................................@.......p....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.6126507489483375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:qF3qWvhWQWYnO/VWQ4SWL7JJsxZAqnajT9CgsLam:qF6WvhW+UA7s/Al39wR
                                                                                                                                                                                                                                        MD5:A56E3E2AA6398CCB355C7CDE81CCB6E5
                                                                                                                                                                                                                                        SHA1:A26273DD41DB7B63D3A79ACF6F4F3CF0381A8F02
                                                                                                                                                                                                                                        SHA-256:25AF1BC31C4A3FB9F1036C9AA51CB0AE8899C499B3EEF4CF7281515C1EA27B47
                                                                                                                                                                                                                                        SHA-512:3D5CEC9E5B42724794282974F637B1FDA8C26ADF01ED19DD2EC4F940E01CD43BDC42E46DC3E62704E62553DE96D3FEA1616C9650AF73CDB557DFCA1B52051A64
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.978924663768967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Hck1JzNcKSIGqAWvhWTUpDX7aJdlGsztMs:3cKSswKz7aJGps
                                                                                                                                                                                                                                        MD5:82159E8D92E38C4F287EB9420DCF1F9F
                                                                                                                                                                                                                                        SHA1:2E4436DBE18D943416A388777D05BFE5CB553DE7
                                                                                                                                                                                                                                        SHA-256:0D22CE9D987EFD6886A8DE66A6A678C287D29B15963B4373F73D79DDE42C9827
                                                                                                                                                                                                                                        SHA-512:DCEF1E0C7916C8CD08148962949A996FFC5D46B899CD82DFBCD9BB1BC614622BC8997F1E7D3C4E3D75F2DF07540A4C17F39477CFE97BA7F0BD280CDD52E06F91
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......Y.........." .........0...............................................@.......K....`A........................................p................0...............0...!..............p............................................................................rdata..4...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.513848472591714
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:pwQpUwzDfIeOWvhW9WYnO/VWQ4+WWXtplsxZAqnajT9CGl:pZDfIeOWvhWNUFbls/Al39Hl
                                                                                                                                                                                                                                        MD5:74C264CFFC09D183FCB1555B16EA7E4B
                                                                                                                                                                                                                                        SHA1:0B5B08CDF6E749B48254AC811CA09BA95473D47C
                                                                                                                                                                                                                                        SHA-256:A8E2FC077D9A7D2FAA85E1E6833047C90B22C6086487B98FC0E6A86B7BF8BF09
                                                                                                                                                                                                                                        SHA-512:285AFBCC39717510CED2ED096D9F77FC438268ECAA59CFF3CF167FCC538E90C73C67652046B0EE379E0507D6E346AF79D43C51A571C6DD66034F9385A73D00D1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...%p_W.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..,...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.293598211920456
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:dWvhW/WYnO/VWQ4SWYujPUsxZAqnajT9Cl36:dWvhWvUgMs/Al39Eq
                                                                                                                                                                                                                                        MD5:D6F37B232E3F2E944EBCF53A662E852F
                                                                                                                                                                                                                                        SHA1:C10839E941444ED79C2314F90DA34E5742F4E514
                                                                                                                                                                                                                                        SHA-256:5E6AD9502C8411F29BC072EFD08C4FCD09BC3367814269DEDA74A78536FB8375
                                                                                                                                                                                                                                        SHA-512:6E0CF1021EF3FF31895D2B6A9E72084EBE52DE4201D317B12FB8B05A7B1946FDEF65D2B046F8FB25189D3A94F70726121F2E8EAC8239C00EE02EF5EAF57F21C5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata.. ...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.469567491280211
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aGeVTg6WvhWGWYnO/VWQ4SWupBd80Hy5qnajsBkt2NjY:aGeVTg6WvhWsUldslE8+Y
                                                                                                                                                                                                                                        MD5:6397D5CC116D884D31552F613F748556
                                                                                                                                                                                                                                        SHA1:B76B19FE4D3D5D26D2DEE1983D384E26D961180E
                                                                                                                                                                                                                                        SHA-256:40EB38D84DFD13C8A58211B8273C4B4965148742F08EB6FE8B0830392C37ABC1
                                                                                                                                                                                                                                        SHA-512:4449DA9BAA3F722EB274AC527125F5918A17BC94B243849A0A44F3463E35F368339A58A6AA1E08B83D54D13538C0D52BFCB452A48B8B9A52961BF136256D220E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....C}.........." .........0...............................................@.......T....`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20960
                                                                                                                                                                                                                                        Entropy (8bit):4.375396134710155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:v0yyMvJWvhW4WYnO/VWQ4SWQwwV80Hy5qnajsBkrfFIf:zyMvJWvhWmUAIslEAfFI
                                                                                                                                                                                                                                        MD5:D2D7458AB838E738B54FB4D6FA490BF6
                                                                                                                                                                                                                                        SHA1:0CFC5659B23A35C987B96CABBC0D10325316385D
                                                                                                                                                                                                                                        SHA-256:285A481D7BA9859CC28BEDEDD8F05A90BD648A34D66B8C797118920B40E15E4E
                                                                                                                                                                                                                                        SHA-512:62E0ABB2E59D360D6A066E73289AA1B880E7C1A0B7E6C695F40B1E0F2CB11DEB9E54DEBA4045D2454B911AF109EC198F11073874A8F023EB1B71A16A74354A1E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....%fN.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..<...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.889960536352825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lQMwidv3V0dfpkXc0vVaLnWvhWTULrX7aJdlGsztzO1:xHdv3VqpkXc0vVagQ2L7aJGqO1
                                                                                                                                                                                                                                        MD5:255B18FE8AB465C87FB8AD20D9A63AAC
                                                                                                                                                                                                                                        SHA1:645823B0332ADDABA5E4EF40D421B2DA432FDA5E
                                                                                                                                                                                                                                        SHA-256:E050E1BFBB75A278412380C912266225C3DEE15031468DAE2F6B77FF0617AA91
                                                                                                                                                                                                                                        SHA-512:19244B084AC811B89E0E6A77F9308D20CF4FBB77621D34EEDC19FCD5C8775A33B2D9ADA3F408CBE5806C39745B30C1C1CC25D724DB9377B437D771AE0BF440B1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....>F..........." .........0...............................................@......Re....`A........................................p...X............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.557349562243787
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ctZ3ZtIWvhW9NWYnO/VWQ4SWndusxZAqnajT9CMCz4:ctZ3wWvhW9dUds/Al39pCz4
                                                                                                                                                                                                                                        MD5:0A2432A420640A79FAAFF044AB054EF6
                                                                                                                                                                                                                                        SHA1:15688BF3C9330309EC5EA602C0AD5AF1FD68BC30
                                                                                                                                                                                                                                        SHA-256:9DFD114E4182662A669A3B9054DD2A24D96DD66ED96A8B2AC05601928B2084D5
                                                                                                                                                                                                                                        SHA-512:090D6D5046AEFE9006B319FC3F9740426BC93E50CF262CE65857449891CA69D2A235421CFEA3FB178D3F8B1E3F640B8678AA9D8F6E67B8A17985913BEBFB3FDD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.617444368323971
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:UgdKIMFemVWvhWNWYnO/VWQ4mWY1tcQIj21EhqnajKsxN:JH0WvhWdUDIqslGsxN
                                                                                                                                                                                                                                        MD5:E1A7B1F8CDB24324D0E44B0078DB8BD1
                                                                                                                                                                                                                                        SHA1:B6C2FE32AE5FA1398F7AE6245C405378E32A7897
                                                                                                                                                                                                                                        SHA-256:45D4F1E398E4CC73FD1AAAD80219D2A9D3205A228167C819EB6787D7B01FC186
                                                                                                                                                                                                                                        SHA-512:144AFE1CB812DE93FBDD08658AFEB4C95480A8E504C5DCF909FF226400CA2D0F48395CF71954FBD1B3DD93A49CBA39EC0DB3FC34A05804C93FD9A48B0A1749CA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@.......A....`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.549935038939539
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:+cWvhWoWYnO/VWQ4mWRhXEKup3JdqnajKsztzy:+cWvhWWUqX7aJdlGsztzy
                                                                                                                                                                                                                                        MD5:CB39EEA2EF9ED3674C597D5F0667B5B4
                                                                                                                                                                                                                                        SHA1:C133DC6416B3346FA5B0F449D7CC6F7DBF580432
                                                                                                                                                                                                                                        SHA-256:1627B921934053F1F7D2A19948AEE06FAC5DB8EE8D4182E6F071718D0681F235
                                                                                                                                                                                                                                        SHA-512:2C65014DC045A2C1E5F52F3FEA4967D2169E4A78D41FE56617CE9A4D5B30EBF25043112917FF3D7D152744DDEF70475937AE0A7F96785F97DCEFAFE8E6F14D9C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.319450964936577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:MPWvhWRWYnO/VWQ4SWiIsxZAqnajT9CDH:yWvhWRUCs/Al39OH
                                                                                                                                                                                                                                        MD5:5B6C46F42ED6800C54EEB9D12156CE1F
                                                                                                                                                                                                                                        SHA1:66CE7A59B82702875D3E7F5B7CF8054D75FF495F
                                                                                                                                                                                                                                        SHA-256:2631CADCE7F97B9A9E6DF4E88F00F5A43EF73B070EE024ED71F0B447A387FF2F
                                                                                                                                                                                                                                        SHA-512:38FF6745BB5597A871B67AA53FCC8426BC2CDD16B6497A0EB7B59C21D8716F1ABB1F7C7A40A121AD1BD67B5490FEF5CF82EE8FD0BF848F27DCA27FC5D25DEC61
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......#.........." .........0...............................................@...........`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.6478341719136145
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:y0WvhW3WYnO/VWQ4mW8iTH2vArqnajKsbTYk:FWvhWnUIH24rlGsbTYk
                                                                                                                                                                                                                                        MD5:A68D15CAB300774D2A20A986EE57F9F4
                                                                                                                                                                                                                                        SHA1:BB69665B3C8714D935EE63791181491B819795CB
                                                                                                                                                                                                                                        SHA-256:966DDBF59E1D6C2A80B8ABBF4A30D37475DE097BF13FB72BA78684D65975CD97
                                                                                                                                                                                                                                        SHA-512:AC040F92560631CA5162C7559173BDFE858E282225967AB1ADC0A038D34943B00DB140D44319CD2CDC2864295A098AB0BA634DFAA443E1D1782FA143AE4C217D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...8.?;.........." .........0...............................................@......5.....`A........................................P................0...............0...!..............p............................................................................rdata..@...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25056
                                                                                                                                                                                                                                        Entropy (8bit):4.647238720605179
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:3jQ/w8u4cy1WvhWb9WYnO/VWQ4SWANsAlosytkqnaj6Md:fy1WvhWhUNsilWMd
                                                                                                                                                                                                                                        MD5:0E35E369165875D3A593D68324E2B162
                                                                                                                                                                                                                                        SHA1:6A1FF3405277250A892B79FAED01DCDC9DBF864A
                                                                                                                                                                                                                                        SHA-256:14694879F9C3C52FBD7DDE96BF5D67B9768B067C80D5567BE55B37262E9DBD54
                                                                                                                                                                                                                                        SHA-512:D496F0C38300D0EED62B26A59C57463A1444A0C77A75C463014C5791371DECA93D1D5DD0090E8E324C6A09BD9CFF328F94947272CA49018C191C12732E805EE8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....A............" .........@...............................................P......4.....`A........................................P................@...............@...!..............p............................................................................rdata..>........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.454858890873412
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:PLGju+OXWvhW+eWYnO/VWQ4mWPiNbj21EhqnajKsxy:PLGjuJWvhWFUztqslGsxy
                                                                                                                                                                                                                                        MD5:DACF383A06480CA5AB70D7156AECAB43
                                                                                                                                                                                                                                        SHA1:9E48D096C2E81A7D979F3C6B94315671157206A1
                                                                                                                                                                                                                                        SHA-256:00F84C438AAB40500A2F2DF22C7A4EC147A50509C8D0CDAC6A83E4269E387478
                                                                                                                                                                                                                                        SHA-512:5D4146A669DDB963CF677257EC7865E2CFCB7960E41A38BBD60F9A7017474ED2F3291505FA407E25881CBF9E5E6B8055FF3BD891043284A0A04E3FE9CFAD9817
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................." .........0...............................................@......w.....`A........................................P..."............0...............0...!..............p............................................................................rdata..r...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.950541424159939
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:RSnWlC0i5CtWvhWJKWYnO/VWQ4SWuMasxZAqnajT9CQMDt:RSnWm5CtWvhWWUyas/Al39ODt
                                                                                                                                                                                                                                        MD5:D725D87A331E3073BF289D4EC85BD04D
                                                                                                                                                                                                                                        SHA1:C9D36103BE794A802957D0A8243B066FA22F2E43
                                                                                                                                                                                                                                        SHA-256:30BCF934CBCC9ED72FF364B6E352A70A9E2AFA46ECEADEA5C47183CB46CFD16E
                                                                                                                                                                                                                                        SHA-512:6713FF954221C5DD835C15556E5FA6B8684FA7E19CE4F527A5892E77F322B3DAE7199A232040B89AD4A9575C8D9788D771892D2294F3C18DA45E643EB25FDB08
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.591111522505104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:PUFY17aFBRIWvhWrWYnO/VWQ4mWCJH2vArqnajKsbTYxj:8Q1WvhWLUrH24rlGsbTY5
                                                                                                                                                                                                                                        MD5:9151E83B4FDFA88353B7A97AE7792678
                                                                                                                                                                                                                                        SHA1:B46152E70D5D3D75D61D4CCDB50403BD08BB9354
                                                                                                                                                                                                                                        SHA-256:6C0E0D22B65329F4948FCF36C8048A54CCCCBF6C05B330B2C1A686F3E686EED0
                                                                                                                                                                                                                                        SHA-512:4D4210474957E656D821E1DC5934A4BFBF7E73DD61D696A1AB39914F887810C8FBE500DBB1E23782B40807F25820F35C9665E04DCDC2FD0F6C83046A4AECB86B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...G..d.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..f...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.54281367075804
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:g8yWvhWVWYnO/VWQ4mWWeUDj21EhqnajKsxRIM9:gtWvhWFUtDqslGsxRIG
                                                                                                                                                                                                                                        MD5:EBC168D7D3EA7C6192935359B6327627
                                                                                                                                                                                                                                        SHA1:AECEB7C071CF1BB000758B6CEEBEFEEC91AD22BD
                                                                                                                                                                                                                                        SHA-256:C048A3D7AB951DCE1D6D3F5F497B50353F640A1787C6C65677A13C55C8E99983
                                                                                                                                                                                                                                        SHA-512:891D252ECD50BDED4614547758D5E301BDF8E71FBB1023FF89F8DE2F81927CC7CC84B98985D99E8FA8DCBF361E5117D9C625DC0D36983AFC3F2AA48A54CE3D48
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....h\..........." .........0...............................................@......}.....`A........................................P...e............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29144
                                                                                                                                                                                                                                        Entropy (8bit):4.946641263598223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MQM4Oe59Ckb1hgmLJWvhWdUN8HOhlxAnY:rMq59Bb1jeanOunY
                                                                                                                                                                                                                                        MD5:7A235962DBAB1E807C6EC7609FC76077
                                                                                                                                                                                                                                        SHA1:148DDD11A0D366313F75871007057B3F0485AB33
                                                                                                                                                                                                                                        SHA-256:F7C5D7394643C95FE14C07773A8A206E74A28DB125F9B3976F9E1C8C599F2AF1
                                                                                                                                                                                                                                        SHA-512:25B21EE7BB333E5E34D2B4A32D631A50B8FFAF1F1320D47C97C2A4DFF59FA2A2703CDF30638B46C800D3150EFAA4A2518C55E7B2A3B2E4273F43DD5CA83AE940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...J..R.........." .........P...............................................`............`A........................................P....%...........P...............P...!..............p............................................................................rdata...&.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29136
                                                                                                                                                                                                                                        Entropy (8bit):4.764408242494898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VA/kPLPmIHJI6/CpG3t2G3t4odXLJWvhWSUwlmX7aJdlGszti:y/kjPmIHJI6AFc7aJGT
                                                                                                                                                                                                                                        MD5:B3B4A0F3FCE120318E71DE3AFB6BB1AA
                                                                                                                                                                                                                                        SHA1:D3349409EC717F942769BA67FECA40557C1423D0
                                                                                                                                                                                                                                        SHA-256:A38E6786DC8EC6D2717343DBE00BB2FDDA008D87935BBD9371AE94E7E004270B
                                                                                                                                                                                                                                        SHA-512:4A130674DDBB05949665F6F7A070B25E82C34047D1E62EC60C73F815CED39A9041D972BE4E8C505F9B13C5BCDC114F3479BF8D69D7D9CF9987D39A6F5DB7F560
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....T............" .........P...............................................`............`A........................................P.... ...........P...............P...!..............p............................................................................rdata..D".......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):74192
                                                                                                                                                                                                                                        Entropy (8bit):5.1227875842071615
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:LLraHgDe5c4bFe2JyhcvxXWpD7d3334BkZnjPgB/P5W:baHgDe5c4bFe2JyhcvxXWpD7d3334Bkb
                                                                                                                                                                                                                                        MD5:7033AB91EA4F0593E4D6009D549E560F
                                                                                                                                                                                                                                        SHA1:4951CE111CA56994D007A9714A78CDADEEB0DACF
                                                                                                                                                                                                                                        SHA-256:BE7901AA1FACEA8E1FD74A62BDE54CC3BD8E898B52E76FABB70342B160989B80
                                                                                                                                                                                                                                        SHA-512:8BC3B880E31EBE3BC438A24D2AF249C95E320AC3C7A501027EF634F55AAB6FAC4F6D1090A00C29A44657A34EBADCD62023F2E947D31C192072698B645F8651ED
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....+..........." ................................................................e.....`A........................................P....................................!..............p............................................................................rdata..............................@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.608840616484201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:4adyqjd7VWvhWpWYnO/VWQ4mWB8nXEKup3JdqnajKszt0CkD:4aQ0WvhWpUnX7aJdlGszt0r
                                                                                                                                                                                                                                        MD5:55463244172161B76546DC2DE37F42BD
                                                                                                                                                                                                                                        SHA1:C10A5360AD5E340D59C814E159EA1EFCBF5BF3EE
                                                                                                                                                                                                                                        SHA-256:4166A32551989F960DAC7C0E296FFB28092F45F6539E7C450FA04BF17612BE73
                                                                                                                                                                                                                                        SHA-512:EACEC78FF95F60DEF6F7F27BDA4A84F1DD2DFA386EFC4F6DA770C37268DF83C5B402693EA5C29F54D48026579F3843DB26ADD4D6448EA10CBF7F14D4D14A72FD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w>..........." .........0...............................................@......M.....`A........................................P...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):4.795732177662406
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:oHUW9MPrpJhhf4AN5/KiZWvhWMWYnO/VWQ4mWLz8Y5H2vArqnajKsbTYCkI:oHUZr7PWvhW6UeH24rlGsbTYCx
                                                                                                                                                                                                                                        MD5:27C4A3BCC0F1DBA2DE4C2242CD489F3B
                                                                                                                                                                                                                                        SHA1:A704FD91E3C67108B1F02FD5E9F1223C7154A9CC
                                                                                                                                                                                                                                        SHA-256:315DED39D9E157CEC05D83711C09858C23602857C9D8C88BEEF121C24C43BE84
                                                                                                                                                                                                                                        SHA-512:793E74DFB1052C06AB4C29E7B622C795CC3122A722382B103940B94E9DAC1E6CA8039DF48C558EFCC5D952A0660393AE2B11CED5ADE4DC8D5DD31A9F5BB9F807
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...4{.+.........." .........@...............................................P............`A........................................P...4............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):5.082770273323341
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:DA2uWYFxEpahrWvhW/nWYnO/VWQ4mWSmRkH2vArqnajKsbTYMlBzK:DIFVhrWvhWfUERkH24rlGsbTYx
                                                                                                                                                                                                                                        MD5:306608A878089CB38602AF693BA0485B
                                                                                                                                                                                                                                        SHA1:59753556F471C5BF1DFEF46806CB02CF87590C5C
                                                                                                                                                                                                                                        SHA-256:3B59A50457F6B6EAA6D35E42722D4562E88BCD716BAE113BE1271EAD0FEB7AF3
                                                                                                                                                                                                                                        SHA-512:21B626E619AAF4EDA861A9C5EDF02133C63ADC9E893F38FEDE72D90A6E8BE0E566C117A8A24CA4BAB77928083AE4A859034417B035E8553CC7CCFB88CB4CBD9C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...+b............" .........@...............................................P......'l....`A........................................P...a............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25040
                                                                                                                                                                                                                                        Entropy (8bit):5.075489018611419
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:dozmT5yguNvZ5VQgx3SbwA71IkFPaPA6XHPe:dozmT5yguNvZ5VQgx3SbwA71IAaP7XH2
                                                                                                                                                                                                                                        MD5:EC1381C9FDA84228441459151E7BADEA
                                                                                                                                                                                                                                        SHA1:DB2D37F3C04A2C2D4B6F9B3FD82C1BE091E85D2C
                                                                                                                                                                                                                                        SHA-256:44DDAB31C182235AC5405D31C1CBA048316CC230698E392A732AC941EC683BAD
                                                                                                                                                                                                                                        SHA-512:EE9EBBDC23E7C945F2B291FDE5EB68A42C11988182E6C78C0AB8FA9CB003B24910974A3291BCDAA0C8D1F9DFA8DF40293848FB9A16C4BE1425253BED0511A712
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w.e.........." .........@...............................................P......0.....`A........................................P................@...............@...!..............p............................................................................rdata../........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):5.000234308172749
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:SNDKWvhW/WYnO/VWQ4mWVx2RoXEKup3JdqnajKsztg/J:RWvhWvUexqoX7aJdlGsztgx
                                                                                                                                                                                                                                        MD5:4CF70855444F38E1EB71F9C3CD1C6E86
                                                                                                                                                                                                                                        SHA1:D06AEC4008D397756EE841F0E7A435D1C05B5F07
                                                                                                                                                                                                                                        SHA-256:A409E25A9D3C252CC0A5AF9DF85D3733E946087B06CD1FB2CF1BF640EB0D49BA
                                                                                                                                                                                                                                        SHA-512:A13A80645E679343AC5638E8AA6A03012F16200CB3A4637BE52A01AA3BEF854324A8ED1882CA91B304B9C47B6351B1FC1671F4DEDE5BE77BC208A71FE6029064
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....p..........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20944
                                                                                                                                                                                                                                        Entropy (8bit):4.5308703760687745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:6PjfHQduHWvhWjWYnO/VWQ4mWEwXBXEKup3JdqnajKsztqOT+:QfxWvhWjUoXBX7aJdlGsztqx
                                                                                                                                                                                                                                        MD5:FCD6B29932D6FB307964B2D3F94E6B48
                                                                                                                                                                                                                                        SHA1:BE560F8A63C8E36A7B3FA48FF384F99F69A5D4F7
                                                                                                                                                                                                                                        SHA-256:CFB2EE4E426BB00B76163C1A66CF8CFEF8D7450CBF9BBCE3BC9EB2053F51E0E5
                                                                                                                                                                                                                                        SHA-512:3EDFCF559F1E21870277358E6D266A1A0CEA68B163B11C73108F3B6A56006D20B51410A3B4EA39BF80906BF6C9D573E1072697CFCD6A3D37E3679EA54757C69F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...w............." .........0...............................................@............`A........................................P...^............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):304800
                                                                                                                                                                                                                                        Entropy (8bit):4.2336898246942685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:REX9Xit++0PJSKtOJsgI3mwNdmLZ8mTQfsqxEdB:S9xacWIfsqOD
                                                                                                                                                                                                                                        MD5:DBEB3E7BAE9873B4317F7E581AAF7DA5
                                                                                                                                                                                                                                        SHA1:9008A7E3F3CC8CA70DE2A6501514E1BC89B480B0
                                                                                                                                                                                                                                        SHA-256:1498113CBB7EECF7CC591502DC70C138165CFBABBCBB013E103C98357EC9C9EC
                                                                                                                                                                                                                                        SHA-512:4E5EE6CD29DD31F0881DF453726472166489E4AA6E2F2C98271FD79ED37C0B4022C37F684265EE790687D9925B04127639A1487FC1608F7B5FAB8ED643B69D24
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d.....lf.........." .........|......................................................b.....`.......................................................... ..xx...........~...(..............T............................................................................rdata..X...........................@..@.rsrc...xx... ...z..................@..@......lf........l...l...l.........lf..........................lf........l...................................RSDS.An[...E.A.ki.......D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb.............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....!..hw...rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436848
                                                                                                                                                                                                                                        Entropy (8bit):6.4837820325046405
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:fLtbu58TIu2rlMBDr0PZYRhVj95f1L7Zr5/z/5ccUYXIBXzkTVsHgWolUZbGwqfy:fLtHAcX0PZuhVDh7ZN7/6YXIBjkBsHgy
                                                                                                                                                                                                                                        MD5:7B4375E2D9212108130ACA9438B204B4
                                                                                                                                                                                                                                        SHA1:8AD0A3C29A02429FA4233E0CBE09897EB3960A46
                                                                                                                                                                                                                                        SHA-256:C8C62D5043E1E16089B85BADC0D41DAA4B8EBCBE8608435783C07679BACD159E
                                                                                                                                                                                                                                        SHA-512:FD33720895EBEB0074727A38F467209CBE763600476687F42E9727486133B9293F8D18C016CA14991D1671EC87AB09F8722645C54B1E326282E480F801F8B264
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2.US..US..US..\+..YS...!..RS..US...S...&..tS...&..[S...&..\S...&..>S...&..TS...&y.TS...&..TS..RichUS..........................PE..d.....lf.........." .....,................................................... ......^A....`A............................................t....................0..@........(......|.......p....................k..(...@...8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data....<..........................@....pdata..@....0......................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5125400
                                                                                                                                                                                                                                        Entropy (8bit):6.552600854604914
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:TRUteSi8SjfXq6ZlxPCEsBfdSf30d9A6oWUqSp0eTVRapiB8YNCdT2eBRJoqN2nc:9U6RxPCEwpJc5H8GatXj
                                                                                                                                                                                                                                        MD5:3F517CD4D560FF7C81CA4E0ACF375A96
                                                                                                                                                                                                                                        SHA1:53375106AD45031329A0FB075C0D3193C4A8FAC6
                                                                                                                                                                                                                                        SHA-256:64E1C7636E731BB9DD30ADF26526BA69A64786F0D4C6979265CB5575AD1ABFF2
                                                                                                                                                                                                                                        SHA-512:C7FBA2ECE43B3328F5A041407EA4D729BDBCCC65869E7540C7CA1AB558FACCE9E434812C362131CF9D04573D3EDD5460747DEBC175E45BFCEF281546C94476A6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.*.Nuy.Nuy.Nuy.6.y.Nuyj<qx.Nuyj<tx.Nuy.Nty.Ouy.;px.Nuy.;qx.Nuy.;vx.Nuys;vx.Nuys;{xlOuys;ux.Nuys;.y.Nuys;wx.NuyRich.Nuy................PE..d....lf.........." ......<...................................................O......N...`A.........................................LI.D...TMI......`O...... K.8.....N..)...pO.Pa....>.p.....................?.(...p.=.8.............<......JI.`....................text...a.<.......<................. ..`.CLR_UEF\.....<.......<............. ..`.rdata........<.......<.............@..@.data... .....I..:...PI.............@....pdata..8.... K.......I.............@..@.didat..8.....N......hL.............@...Section.......N......jL.............@..._RDATA...3... N..4...lL.............@..@.rsrc........`O.......M.............@..@.reloc..Pa...pO..b....M.............@..B........................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58208
                                                                                                                                                                                                                                        Entropy (8bit):6.335250887121676
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:IIkf5nMEPz7omzpq/4Jw1AsDZq7v613eUu8sGzWjK9zv2:wn5tLX62Cu8TzW6zv2
                                                                                                                                                                                                                                        MD5:69338F5C8F7B6567B5E4D83173BD15CD
                                                                                                                                                                                                                                        SHA1:E2846481C76E4720CE86F57BF7864533A7EC753D
                                                                                                                                                                                                                                        SHA-256:31ABD14FFAFD56AB69CC0D7222A8004177F689BBBCBAD7312D8C2FC03F32E2E1
                                                                                                                                                                                                                                        SHA-512:58C721578AE472F4FA275A58483CACA669828254AADEA1457C723E7D353C8D5673736F36C79DA06234C300AB9F361546650A754F6D7EF1CDEF79B5CD2171C806
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x.................x.....x9.....x....Rich...........PE..d...z.lf.........."......h...N.......).........@....................................k+....`....................................................................P.......`)......h.......T...............................8............................................text....f.......h.................. ..`.rdata...6.......8...l..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):140464
                                                                                                                                                                                                                                        Entropy (8bit):6.413381282488342
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:8XY8Ja8dy1+iLfBcGPUZZceOiU8mJ/QQc962jqc413OjgrxkwF+aW/CzWa:QLgDL+vU8mpcoOjgrxkLaQCn
                                                                                                                                                                                                                                        MD5:A826058DA5A74D575C5FBBA98D2DE708
                                                                                                                                                                                                                                        SHA1:B8B628B29BFC99A1CF6565DC0AD941F3A15B67D7
                                                                                                                                                                                                                                        SHA-256:EB642F50E67611DD041AADF3BFCAEC9FF69A3BBDE27D59BD6F38900307D25CE8
                                                                                                                                                                                                                                        SHA-512:07D97B9F87BC16B47487C7193084769C751CC2DFF5CD6D033E1575C978B9A3448045CE6B7DFC2A2C4BAB3C17E889679AFE19671AADFA9C2C8FAFFB78BBCC8171
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.......................+.......*.......-......./......./.{.....'......................,.....Rich....................PE..d.....lf.........." .....^..........P........................................P......J.....`A............................................(...(........0..........|........(...@..........p.......................(... ...8............p...............................text....\.......^.................. ..`.rdata..Tx...p...z...b..............@..@.data...............................@....pdata..|...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):394528
                                                                                                                                                                                                                                        Entropy (8bit):6.311616444156745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:BBGjtN9JhCdJeD1QL3sQy8XyV0l0gzPI37VPzBz3BUt9OqOHBE/Xb:BBGjtNlU/rsQy8XyxzkZOGX
                                                                                                                                                                                                                                        MD5:99627BE8353E7B34EBDBBBF965470601
                                                                                                                                                                                                                                        SHA1:E60681E3F81B4DCAF304E715878ED9F3984A1BAA
                                                                                                                                                                                                                                        SHA-256:B54E1ACF51C3A876C68E99FF17C5A585AF264CFC25F57D6913EA9BD85FCB25B5
                                                                                                                                                                                                                                        SHA-512:BC162E11BDF84ECB7C0DA3F6FFDAB3380958C8B9C86E9DC4CBF03BC8FE3C5B2D958E11FB373D5944418F687F7F559C1DBECA36B37D1AE4472BB8B58420A7AD6C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ux.U..YU..YU..Y.a.X_..Y.a.X_..Y.a.X...Y\l.YG..Y.f.XP..YU..Y...Y.a.XH..Y.a.XT..Y.a.YT..Y.a.XT..YRichU..Y........PE..d...y.lf.........." .....D...................................................@......Oq....`A............................................ ... ........ ..........$0...... )...0..........p.......................(.......8............`...............................text...,B.......D.................. ..`.rdata...F...`...H...H..............@..@.data...............................@....pdata..$0.......2..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1320360
                                                                                                                                                                                                                                        Entropy (8bit):6.373679704817961
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:W3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDHuPGct:W7s7jsjS4znnqyIn7TrvU
                                                                                                                                                                                                                                        MD5:4C295F5F2D61B58ABFFDBEAFC26ED0A0
                                                                                                                                                                                                                                        SHA1:4948926A75605082BF2F2266910A90E526890C75
                                                                                                                                                                                                                                        SHA-256:1CD7F8274A9856A9A5A26AE2414C2DCE6E194F5C7CC0E3B566564F8A8A758C6D
                                                                                                                                                                                                                                        SHA-512:245E4571E5F49281093CCEA9FF488BCE4A73AA4D0DB2423B1E9C9C25192CA02387B3D18C7519B756958139ED99CD27B1A81135CA6F8A8D8575CF682CA5B4FC1F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d....lf.........." .....(...................................................P.......K....`A............................................p...`........ .......`...........%...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1320360
                                                                                                                                                                                                                                        Entropy (8bit):6.373679704817961
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:W3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDHuPGct:W7s7jsjS4znnqyIn7TrvU
                                                                                                                                                                                                                                        MD5:4C295F5F2D61B58ABFFDBEAFC26ED0A0
                                                                                                                                                                                                                                        SHA1:4948926A75605082BF2F2266910A90E526890C75
                                                                                                                                                                                                                                        SHA-256:1CD7F8274A9856A9A5A26AE2414C2DCE6E194F5C7CC0E3B566564F8A8A758C6D
                                                                                                                                                                                                                                        SHA-512:245E4571E5F49281093CCEA9FF488BCE4A73AA4D0DB2423B1E9C9C25192CA02387B3D18C7519B756958139ED99CD27B1A81135CA6F8A8D8575CF682CA5B4FC1F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d....lf.........." .....(...................................................P.......K....`A............................................p...`........ .......`...........%...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1268256
                                                                                                                                                                                                                                        Entropy (8bit):6.353875443999665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:+ZdZVsOfVMIVAeZeSuIN5R2kMfmZmogeOaypw7ZSryE0BbdIUtVL0GUix+VgFow6:+ZdZVscj9cSuINr2JeOayeFbpo7iE8oJ
                                                                                                                                                                                                                                        MD5:8C06FB2F713A634561B3DC6E5469DE70
                                                                                                                                                                                                                                        SHA1:4FB727BAC8E600A04D200351600DDDB160487D15
                                                                                                                                                                                                                                        SHA-256:BEAD06E37ED9D1292F205C8F9D1825AF1BA21A1461E1EA1030A16872BC12C854
                                                                                                                                                                                                                                        SHA-512:A624E37FF0A29767C2E04BDC5120D88D48D0DF687F6B48291C5CC7F9CF89FFEF771EC0946EB00030DDC5623DD29B3AB510F9B0EB35C70A2F1DAE6C1C1784B82A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g.jy4.jy4.jy4...4.jy4..|5.jy4..}5.jy4..z5.jy4'.}5.jy4'.x5.jy4.jx4:jy4>.z5.jy4>.p5.jy4>.y5.jy4>..4.jy4>.{5.jy4Rich.jy4................PE..d.....lf.........." .....n...........................................................U....`A.........................................n..`....p.......`..........D....4.. &...p......`...p.......................(......8............................................text...5l.......n.................. ..`.rdata...............r..............@..@.data...x............t..............@....pdata..D...........................@..@_RDATA.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):58528
                                                                                                                                                                                                                                        Entropy (8bit):5.6446323123377224
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:l8zO+8uP8x/A15A4HI4gJl01Qa7ICltVvTFClpDuO9zh:yzO+8uA/A15A4o4gJq1DI+vBipzh
                                                                                                                                                                                                                                        MD5:86E65EF2C83159E84F5A7C36EC78867E
                                                                                                                                                                                                                                        SHA1:A0FC2165DAF648BCBAAB3DF2AE0FBAE3FEC0A702
                                                                                                                                                                                                                                        SHA-256:5319693193C2BCBBE56E1090E1EEA513A0145557E40A789BF96F562C0D0CC8E1
                                                                                                                                                                                                                                        SHA-512:A6537F4D68ED63DE7D627B8B321010C83D175E0EA50F33AC5DCC5692EF5BA9620A2BD3572B8F4771ACC1B02ECD5B852482CE1EF75B47C65597D2914F4F1D0A37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.................. ........... ....................... .......>....`.................................l...O.......(................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H.......P .............................................................BSJB............v4.0.30319......l...pL..#~...L..._..#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....*-.........#.M...&.M.....M...M....h..)...$'....".2.....2...&.2..v$.2... .2.....2.....2...$.2..x..2...1.S.....S..5..]...$.M.................L.....L.....L..)..L..1..L..9..L..A..L..I..L..Q..L..Y..L..a..L..i..L..q..L..y..L.....L ....L.....L..

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):147104
                                                                                                                                                                                                                                        Entropy (8bit):3.8671404588318095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:9V8Zms10iHvh7x8SKJlZ4vCCk7nw55IvZ4MgSZctpoEXXniizP:9V8Z/aSKlZ4ZGnwmUS4Scnp7
                                                                                                                                                                                                                                        MD5:81556C4545EC2CC21AD218639A0C003B
                                                                                                                                                                                                                                        SHA1:E80EE14AB3EEE7BAA7FF86B07DDD64B38788D4B9
                                                                                                                                                                                                                                        SHA-256:214186149DDF144E9FB1935A7B39FA9393D188CCA6558AE580F3DCB3465ABA5C
                                                                                                                                                                                                                                        SHA-512:99243E57988B7758B8537A43815840509B37CCEB3BEB4B8E6A8086ACB36880D5AA63A4496E16C3BAD34D2D8EDAFF7A240E6FFEC9F60488B6A31D9A957B4CA7C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d.....lf.........." .........................................................@............`.......................................................... ..`................(..............T............................................................................rdata..X...........................@..@.rsrc...`.... ......................@..@......lf........j...l...l.........lf..........................lf........l...................................RSDS..^...qO.h"..c.:....D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb...............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....;.......rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):517032
                                                                                                                                                                                                                                        Entropy (8bit):6.327188439808119
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:DD4t2kjj3Ueh/9WoJcDSdiA9HuUrUb9KcvYCxe3Rw42SISaVGxQJyRMq1KsLGjrT:DDrkjjUoJcDSdiw4QcO3RoS9MV
                                                                                                                                                                                                                                        MD5:B5D0F85E7C820DB76EF2F4535552F03C
                                                                                                                                                                                                                                        SHA1:91EFF42F542175A41549BC966E9B249B65743951
                                                                                                                                                                                                                                        SHA-256:3D6D6E7A6F4729A7A416165BEABDA8A281AFFF082EBB538DF29E8F03E1A4741C
                                                                                                                                                                                                                                        SHA-512:5246EBEAF84A0486FF5ADB2083F60465FC68393D50AF05D17F704D08229CE948860018CBE880C40D5700154C3E61FC735C451044F85E03D78568D60DE80752F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.................................................................................7...2......2......2.7....._....2......Rich............................PE..d.....Mb.........." .................E.......................................0.......H....`A........................................0y..|....y....... ..h........>.......'... ..........T...............................8............... ............................text...z........................... ..`.rdata...{.......|..................@..@.data...p2...........r..............@....pdata...>.......@...~..............@..@_RDATA..............................@..@.rsrc...h.... ......................@..@.reloc....... ......................@..B........................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101664
                                                                                                                                                                                                                                        Entropy (8bit):5.505707682437033
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:oiTrnaN0HjO8MZYq5V4bgDHsPdPpwSJ5L3Akcg9Qc7WUEp4za:JaN8qZYe4bgDUnNKc7nXm
                                                                                                                                                                                                                                        MD5:6F476F66A2C6228DA38FE6C7ED7CA439
                                                                                                                                                                                                                                        SHA1:2C13ABA2E1A19F00C98A1AB82066512B6B555375
                                                                                                                                                                                                                                        SHA-256:78798868341E36FC9B782AB9313CC7035C5173509552F4BB95B44A5D0D044B23
                                                                                                                                                                                                                                        SHA-512:C3E5132101845D821D040ABE97EE2EA07D04135ADFD11E880D08000C8B03ECC7853AF7CEE5BF18C07361F29C5867D9A7120F6F1D4053F624E25F6021C8E03367
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%$..........." ..0..Z..........6x... ........... ....................................`..................................w..O.......8............d.. )...........w..T............................................ ............... ..H............text...<X... ...Z.................. ..`.rsrc...8............\..............@..@.reloc...............b..............@..B.................x......H.......P ..DV...................v......................................BSJB............v4.0.30319......l.......#~..,.......#Strings.....R......#US..R......#GUID....R..P...#Blob............T.........3................................U...(......H.........5*....;*....'8.........., A...7.J..P4*U..5#*U...:*U..n7*U..&1*U....*U.../*U..(7*U...(*U...T-..../-...i&....7*................./...../...../...)./...1./...9./...A./...I./...Q./...Y./...a./...i./...q./...y./...../. .../...../...

                                                                                                                                                                                                                                        C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1122768
                                                                                                                                                                                                                                        Entropy (8bit):6.6466118295886165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:CJG2BrB3ZQAq0AT2jS9HKHdK6AccMs1wmxvSZX0ypFi:0VGrT6SAk3ei
                                                                                                                                                                                                                                        MD5:3B337C2D41069B0A1E43E30F891C3813
                                                                                                                                                                                                                                        SHA1:EBEE2827B5CB153CBBB51C9718DA1549FA80FC5C
                                                                                                                                                                                                                                        SHA-256:C04DAEBA7E7C4B711D33993AB4C51A2E087F98F4211AEA0DCB3A216656BA0AB7
                                                                                                                                                                                                                                        SHA-512:FDB3012A71221447B35757ED2BDCA6ED1F8833B2F81D03AABEBD2CD7780A33A9C3D816535D03C5C3EDD5AAF11D91156842B380E2A63135E3C7F87193AD211499
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:K..:K..:K..K..:K..;K..:KK..K..:KK.:J..:KK.9J..:KK.?J..:KK.>J.:KK.4J..:KK..K..:KK.8J..:KRich..:K........PE..d................" .....0..........0^...............................................N....`A................................................................. ...........!...... .......p............................Z..8..............(............................text...X .......0.................. ..`.rdata......@.......@..............@..@.data....&....... ..................@....pdata....... ......................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2402
                                                                                                                                                                                                                                        Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                        MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                        SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                        SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                        SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\Installer\5836b3.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878658685893347
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:1+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:1+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:4C2CCD8E957C65E8C7EF53C5147066C3
                                                                                                                                                                                                                                        SHA1:6CD11864DFE9F061C2A4E599304934D94F8C36E8
                                                                                                                                                                                                                                        SHA-256:3809AFFAD6DC10DE4613EDB2C172F47B641B0393270A129B24683CCD30FB39D7
                                                                                                                                                                                                                                        SHA-512:8EF0AC1323C4A3DA1E892892B46B71F08901AEB3142250144CE2514058CA593DE9D05B88CFE502336DCA4910BAB2EDE7023AA7C09364C60647CF50F3AA9749FF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\5836b5.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878658685893347
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:1+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:1+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:4C2CCD8E957C65E8C7EF53C5147066C3
                                                                                                                                                                                                                                        SHA1:6CD11864DFE9F061C2A4E599304934D94F8C36E8
                                                                                                                                                                                                                                        SHA-256:3809AFFAD6DC10DE4613EDB2C172F47B641B0393270A129B24683CCD30FB39D7
                                                                                                                                                                                                                                        SHA-512:8EF0AC1323C4A3DA1E892892B46B71F08901AEB3142250144CE2514058CA593DE9D05B88CFE502336DCA4910BAB2EDE7023AA7C09364C60647CF50F3AA9749FF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\5836b5.msi5836c0.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Windows\Installer\5836b6.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\5836c2.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\5836c3.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 6.0.32 (x64)., Template: x64;1033, Revision Number: {81A6B662-3AB0-42DC-AE22-74E8036F80FA}, Create Time/Date: Sun Jun 16 06:00:54 2024, Last Saved Time/Date: Sun Jun 16 06:00:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27222016
                                                                                                                                                                                                                                        Entropy (8bit):7.99350983480325
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:786432:xUjjZm/yN+5DsfeR/WZGvLF3bApyMYhKj:xS4/yN+NsG/WZQF3EpJYhK
                                                                                                                                                                                                                                        MD5:4E9EB394F40E78755FA76E67F9190CD0
                                                                                                                                                                                                                                        SHA1:36310C7F007992D911E8402E4AA34A2BB1682063
                                                                                                                                                                                                                                        SHA-256:8701E309396C5232A4FE1606C6E3549134FE01DC0D9FE4A74CB9D26531DDD9A4
                                                                                                                                                                                                                                        SHA-512:2CB71F44E7BBA16143120512718DD128185A5063BA4767146D10C93B81B6CAA4226CFC30FA44B1E50EE41C37B55852E32EA63554FD438FB9ED60DE2CE93CA8E3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\5836c6.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 6.0.32 (x64)., Template: x64;1033, Revision Number: {81A6B662-3AB0-42DC-AE22-74E8036F80FA}, Create Time/Date: Sun Jun 16 06:00:54 2024, Last Saved Time/Date: Sun Jun 16 06:00:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27222016
                                                                                                                                                                                                                                        Entropy (8bit):7.99350983480325
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:786432:xUjjZm/yN+5DsfeR/WZGvLF3bApyMYhKj:xS4/yN+NsG/WZQF3EpJYhK
                                                                                                                                                                                                                                        MD5:4E9EB394F40E78755FA76E67F9190CD0
                                                                                                                                                                                                                                        SHA1:36310C7F007992D911E8402E4AA34A2BB1682063
                                                                                                                                                                                                                                        SHA-256:8701E309396C5232A4FE1606C6E3549134FE01DC0D9FE4A74CB9D26531DDD9A4
                                                                                                                                                                                                                                        SHA-512:2CB71F44E7BBA16143120512718DD128185A5063BA4767146D10C93B81B6CAA4226CFC30FA44B1E50EE41C37B55852E32EA63554FD438FB9ED60DE2CE93CA8E3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\5836c7.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 6.0.32 (x64)., Template: x64;1033, Revision Number: {43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}, Create Time/Date: Sun Jun 16 06:00:06 2024, Last Saved Time/Date: Sun Jun 16 06:00:06 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):876544
                                                                                                                                                                                                                                        Entropy (8bit):6.767183882536547
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:219IeVsJxYRR3cqU8VKIvZUlkj/cBhZeK4lu/XdmYwh:2jIxCMHWvZgkjcDefMFmL
                                                                                                                                                                                                                                        MD5:46DB6C104F1B633927DEE575B5C38C0B
                                                                                                                                                                                                                                        SHA1:9D5E6CF836E28959181B855102E70F5A37550314
                                                                                                                                                                                                                                        SHA-256:2C8DFB556F4A6576205AF03F8D5E2F0A939395CA2DE6D69F06478B3008D1A2CE
                                                                                                                                                                                                                                        SHA-512:007877E08B1958FDC5FEC7DA9FE8AD1A678C2E59BF0B5F4B4080640C1FAB96A34F27AF81F5A733580E95B897D0E27E1C1FD45A4CA20A673A20F3331F3D5C2B62
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\5836ca.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 6.0.32 (x64)., Template: x64;1033, Revision Number: {43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}, Create Time/Date: Sun Jun 16 06:00:06 2024, Last Saved Time/Date: Sun Jun 16 06:00:06 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):876544
                                                                                                                                                                                                                                        Entropy (8bit):6.767183882536547
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:219IeVsJxYRR3cqU8VKIvZUlkj/cBhZeK4lu/XdmYwh:2jIxCMHWvZgkjcDefMFmL
                                                                                                                                                                                                                                        MD5:46DB6C104F1B633927DEE575B5C38C0B
                                                                                                                                                                                                                                        SHA1:9D5E6CF836E28959181B855102E70F5A37550314
                                                                                                                                                                                                                                        SHA-256:2C8DFB556F4A6576205AF03F8D5E2F0A939395CA2DE6D69F06478B3008D1A2CE
                                                                                                                                                                                                                                        SHA-512:007877E08B1958FDC5FEC7DA9FE8AD1A678C2E59BF0B5F4B4080640C1FAB96A34F27AF81F5A733580E95B897D0E27E1C1FD45A4CA20A673A20F3331F3D5C2B62
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\5836cd.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 6.0.32 (x64)., Template: x64;1033, Revision Number: {6CC46603-A43D-40BF-9045-9949A2B95632}, Create Time/Date: Sun Jun 16 05:59:54 2024, Last Saved Time/Date: Sun Jun 16 05:59:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):811008
                                                                                                                                                                                                                                        Entropy (8bit):6.573482407139199
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:7hdTmeBQqU8VKIvZUlkj/cBhZeK4lu/XdmYwc:SQQHWvZgkjcDefMFm+
                                                                                                                                                                                                                                        MD5:AC53C5D5E2F1E2CCFD83408856CE81DB
                                                                                                                                                                                                                                        SHA1:14F67D98612AAD86C092DD05200B21A4FDFB8E1C
                                                                                                                                                                                                                                        SHA-256:756C0D73225DA2A0DA97C879E00F6D5B273A0078D0BAB55EB52755B449D1A896
                                                                                                                                                                                                                                        SHA-512:0FAB821D87FD7DAAB480DB7BF54F0A51A73A16E91440D7EA440A56F6BB3D177105BF1E0741F7D4B94D206F6152104F7B35456AE1F1054B6F679FF0A126588454
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\5836d0.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 6.0.32 (x64)., Template: x64;1033, Revision Number: {6CC46603-A43D-40BF-9045-9949A2B95632}, Create Time/Date: Sun Jun 16 05:59:54 2024, Last Saved Time/Date: Sun Jun 16 05:59:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):811008
                                                                                                                                                                                                                                        Entropy (8bit):6.573482407139199
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:7hdTmeBQqU8VKIvZUlkj/cBhZeK4lu/XdmYwc:SQQHWvZgkjcDefMFm+
                                                                                                                                                                                                                                        MD5:AC53C5D5E2F1E2CCFD83408856CE81DB
                                                                                                                                                                                                                                        SHA1:14F67D98612AAD86C092DD05200B21A4FDFB8E1C
                                                                                                                                                                                                                                        SHA-256:756C0D73225DA2A0DA97C879E00F6D5B273A0078D0BAB55EB52755B449D1A896
                                                                                                                                                                                                                                        SHA-512:0FAB821D87FD7DAAB480DB7BF54F0A51A73A16E91440D7EA440A56F6BB3D177105BF1E0741F7D4B94D206F6152104F7B35456AE1F1054B6F679FF0A126588454
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI128.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):705
                                                                                                                                                                                                                                        Entropy (8bit):5.4123162023111675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:EgI0LBi+304hvits5fXcj//s304hi/fNEhHmX/qHXZNDUSEMszVltNni8WYCRm:g0LBV3/vZsjc3//QXkXZIMEVlt1Zim
                                                                                                                                                                                                                                        MD5:E65AFE9975FCA3BC8097AE45D29C90EF
                                                                                                                                                                                                                                        SHA1:0826B6A9270146D64A10E2EB3FE3E40D826EF88C
                                                                                                                                                                                                                                        SHA-256:1581F0DDECB56D81B3FFC0EBCF9B1B28D6A783046230313C794D5AE1967C3882
                                                                                                                                                                                                                                        SHA-512:7C85B0C0111A8BA8EE9060AC81937F7A7504BF107E4DBD32DC3F0B94F0A8E3A6A344FCE4C06B06BDEF0E3DCC69FA2EE5A7995014A3DE7A0F161DCC41D164D3FF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@}..Y.@.....@.....@.....@.....@.....@......&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}".Microsoft .NET Host - 6.0.32 (x64)..dotnet-host-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{6CC46603-A43D-40BF-9045-9949A2B95632}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}Q.C:\ProgramData\Package Cache\{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}v48.128.16743\...@.....@.....@....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI1A6.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI30EA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI30EA.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI30EA.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI30EA.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI30EA.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI30EA.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI30EA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI30EA.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI30EA.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI33D9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI33D9.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI33D9.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI33D9.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI33D9.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI33D9.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI380B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI380B.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI380B.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI380B.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI380B.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI380B.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI380B.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI380B.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI3C81.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI3C81.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI3C81.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI3C81.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI3C81.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI3C81.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI3C81.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4B86.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4B86.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI4B86.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4B86.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4B86.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4B86.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4B86.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4DA9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437315
                                                                                                                                                                                                                                        Entropy (8bit):6.648050770489668
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ct3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kso:szOE2Z34KGzOE2Z34Kp
                                                                                                                                                                                                                                        MD5:884B3DE250F27F5527EEB8DAF65A0688
                                                                                                                                                                                                                                        SHA1:6067A0339151EE104056585CD22DD2102602F6FF
                                                                                                                                                                                                                                        SHA-256:2C2E45350FFB481C8BB0416FD13A08213C41CA77759610487953723ECE9FB20D
                                                                                                                                                                                                                                        SHA-512:4B7177CBEE4004A5A425E90EB9CAAF4EAEF01460C0BDFDF396524421B1BC5CEA77478C296326BEA43D785127DCF24DFA258CD1470263F3084382CE47A699CD2E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI4DA9.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@D..Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup_it_security (1).msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4DAA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4DFA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI4F23.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6210.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6210.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI6210.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6210.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6210.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6210.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6210.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI7B15.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI897D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):435977
                                                                                                                                                                                                                                        Entropy (8bit):6.6514714139154
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:st3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:czOE2Z34KGzOE2Z34K5
                                                                                                                                                                                                                                        MD5:820C1A823C515AD87D5B11FCEE205425
                                                                                                                                                                                                                                        SHA1:901CAC30D5F5233FF8207A66E5B9DD7AE66612ED
                                                                                                                                                                                                                                        SHA-256:C04FDB497FC1778E17676806714EBE124B99558A53DA6923AFD2505EE688D18A
                                                                                                                                                                                                                                        SHA-512:D265304398E5120A96296B9C2D9F12E34E14C68971FCEA45FE4670C4BA07C793B3AEAD5DB33E32E3F3629DDA2305629BDE72F1379295D9958712966CF5812EBF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI897D.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@n..Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup_it_security (1).msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI899D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8A.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8B92.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8C10.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA381.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437217
                                                                                                                                                                                                                                        Entropy (8bit):6.647849246054569
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:8t3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4KsV:MzOE2Z34K+zOE2Z34Ks
                                                                                                                                                                                                                                        MD5:A0E869E40FFC9BC23E04BAB340DA58DA
                                                                                                                                                                                                                                        SHA1:ABB227C9E7A5384CBB3DA416E515B9F4B8314D2E
                                                                                                                                                                                                                                        SHA-256:8EE4B68553162B8D058BB6C7D448F46F25E1C7FA74F2651A0DBF7ED97BAC7E5B
                                                                                                                                                                                                                                        SHA-512:F6A930F165BF30BF2C02E613306FA765E0813F5A668880311FD5D27ED9B42AD7657BCEA4B8A8A3F305A436EDD0D66FFD9AF61C0C08925A71461E375BB7B6EE7E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIA381.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@q..Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA392.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA42F.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA4AD.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA981.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIBF7B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC0B4.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):84904
                                                                                                                                                                                                                                        Entropy (8bit):5.647986293338289
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HW7nUIYEPaCQ1rAEIeJU8Zg65Q+fUQxs+RQdBKvlH0Vjqgg1bcdv4Yu8EB5vv49t:27BNG+u1K
                                                                                                                                                                                                                                        MD5:808CDD1353E1107AE76A174294D1A877
                                                                                                                                                                                                                                        SHA1:C6CCBA17E55A24E5589640E9C38F76020B4C8C74
                                                                                                                                                                                                                                        SHA-256:5E07828FB2A740C48A4C0B8ACD56A62E41EF4644989BEAF304054AC358296983
                                                                                                                                                                                                                                        SHA-512:DD772311E2FA5A24C6264DD931C2F26BC975ABE8982736B5E9C33E0AA519735603BECA485E0B9FB4D4312D36C0797346C571F0FE6EBD085F3F4650773E44856B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@u..Y.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3B053811-15BE-513E-9DEC-B2B5C4918267}S.02:\Software\Classes\Installer\Dependencies\dotnet_runtime_48.128.16743_x64\Version.@.......@.....@.....@......&.{12C6BE75-4A6B-5D0E-8906-981484BEDEFB}D.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.version.@.......@.....@.....@......&.{5B8B7A30-DD32-5F3F-BF38-4CDA80FF7B58}^.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dll.@.......@.....@.....@......&.{2D57BD37-A665-5E90-A9

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEDFF.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF246.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF2B4.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2805
                                                                                                                                                                                                                                        Entropy (8bit):5.768859286506794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ALbin8264hpnUHMb6P3hvKhG1kYCbD8SuhM4DdeU1DgnPhXyDZkeEVlttyXcXo:ALbnfOaHPU44FY/pe6cADZkeEPk
                                                                                                                                                                                                                                        MD5:0290CEC9403CDA3ADF0E239FD7BCB57D
                                                                                                                                                                                                                                        SHA1:00E3447C07ADD9AAC4C848EA84D966F8F1A16E65
                                                                                                                                                                                                                                        SHA-256:2C386F4F8DA43D7374A785873858C41D717E6555438CE83C5B7D1564EB0C10F0
                                                                                                                                                                                                                                        SHA-512:E188DAEE78A61840D4E461D2B28D819D3F004D019C62111A5DB09E6200F40E429EC88193BCDBB8C0A94CE626918BC3F6A9E10583B18914C35B55520CE2EA2601
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@|..Y.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E116E585-E2CE-5BAC-A645-7047860785B2}W.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.128.16743_x64\Version.@.......@.....@.....@......&.{0AC899A6-3CC6-559F-9577-67925851F466}3.C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dll.@.......@.....@.....@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\hostfxr\Version.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Dir

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF390.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF4E9.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF612.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):714
                                                                                                                                                                                                                                        Entropy (8bit):5.447658403661247
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:EgE20LBVevIZ+30gBGLyeIp3qj//l30gBi/fNEhHmX/qHXZNDUSEMszVltNn6evL:820LBVk3tGeee6jV3t/QXkXZIMEVlt1r
                                                                                                                                                                                                                                        MD5:571035598347011B62CD77F36CB4A147
                                                                                                                                                                                                                                        SHA1:D0EAE16F1F9B0F3BBA7CFF227EE52BA544C7EE1A
                                                                                                                                                                                                                                        SHA-256:055F1F399BD0218E5EC9B71742DDC3C59ADBD1AD13DB6BD0158F9CD94861DDB1
                                                                                                                                                                                                                                        SHA-512:5224FDD59F7F84B8075DCBED608E5296F6A137B00FB0C4BE883E6CF0D454DCDD33B3496FDD4DE23880229CF3181675A75028AA732C4B0869AE6C37E634D483EB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@|..Y.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}Q.C:\ProgramData\Package Cache\{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}v48.128.16743\...@.....@.....@....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF6EE.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF902.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF971.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4254
                                                                                                                                                                                                                                        Entropy (8bit):5.709421391420528
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:ALTpblU3gtEVPQHLxo5qmao3t+G3uce6P4DDkrQEPtjA:EnUweUm9BL3uce6TkW2
                                                                                                                                                                                                                                        MD5:70B347A158F9B2C9D1EBC7C2D418C8DF
                                                                                                                                                                                                                                        SHA1:822D168056D332B98F0AECB60DDA39D315AB4D7B
                                                                                                                                                                                                                                        SHA-256:242000C2D4761956D94EC2C934E69CE9153421B71FA1111B6A9A94559A5431C6
                                                                                                                                                                                                                                        SHA-512:7D30436D4AF0F9B23567643C18F5AEE3477BE95164982166FC402DBF4246507979927F67A2F36D7ADCC5E23EC6EE02E833D39B3ABB42ABD9D826FF9C17BB31A3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@|..Y.@.....@.....@.....@.....@.....@......&.{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}".Microsoft .NET Host - 6.0.32 (x64)..dotnet-host-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{6CC46603-A43D-40BF-9045-9949A2B95632}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3AB1371A-161F-5BD9-98C8-F9BF7A103CA5}X.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Version.@.......@.....@.....@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}".C:\Program Files\dotnet\dotnet.exe.@.......@.....@.....@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}B.22:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\sharedhost\Version.@.......@.....@.....@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIFC31.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIFD6A.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIFE08.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):732
                                                                                                                                                                                                                                        Entropy (8bit):5.475540840628969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:EgI0LBN30/W4rVwZmj//430/Wi/fNEhHmX/qHXZNDUSEMszVltNnHWYCMeSL:g0LBN3f4rQmjo3f/QXkXZIMEVlt1JRXL
                                                                                                                                                                                                                                        MD5:79165718430108823637202949E5AACE
                                                                                                                                                                                                                                        SHA1:B814D8978E3E941ECED26A337E0E973F5EC759A6
                                                                                                                                                                                                                                        SHA-256:56FF1163CD6A70FB38C0363A1C57EB2BB88AD7A6BAAC6115CC89DB2D1244F465
                                                                                                                                                                                                                                        SHA-512:123D90C5D4FADBAF1F1BD7974F1D3B4E72C6090D2BB8490724103D6372ED810B75BE0E4DA0C923ECD62DADA818E6730B1A31BA577EC249A7FD08E36A3AABBD3F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@}..Y.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}Q.C:\ProgramData\Package Cache\{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}v48.128.16743\...@.....@.....@....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIFE95.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):250736
                                                                                                                                                                                                                                        Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                        MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                        SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                        SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                        SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.173769421157234
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjniAGiLIlHVRpUh/7777777777777777777777777vDHF7DRONN/Xl0i5:JoQI5ERRqF6F
                                                                                                                                                                                                                                        MD5:43CD2BDE3E6975DD5B36E16389A2F5AF
                                                                                                                                                                                                                                        SHA1:2DE039CE7D010BB5DF9981B7DB800EF2982B3077
                                                                                                                                                                                                                                        SHA-256:8D3E425BE8E622D7A6AE8B4FF6BE8A92E4283F7A047EDD3B4E0B167A57817632
                                                                                                                                                                                                                                        SHA-512:E8E50FBAEF3D13A9C8F66A71441D988EBC968F2610FC4022433D333813F820A4F0381E4997CC7A7AB44CFE4BD2C141F4370A200E1C74E0CE3DDC40EB757EA54F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1751589535656475
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjctiAGiLIlHVRpUh/7777777777777777777777777vDHF2Vt/Xl0i8Q:JmQQI5E2l6F
                                                                                                                                                                                                                                        MD5:FCE57B5E4833C93D7A3606FEEDD06AAD
                                                                                                                                                                                                                                        SHA1:E54A6C19C752198AC9BD43426641EC1046571E7A
                                                                                                                                                                                                                                        SHA-256:BD165CD2436D80F8DEDD02546F2C3CD24F5BC00771E973B68183C012CEAE73C7
                                                                                                                                                                                                                                        SHA-512:1FF579C78DA465861224C58920D825A6EECBACDA37EBBF303E180973B9CB9DB43742012709F2AE6B4EF349E74112B0F34F9408A133EBF4A525FB887E842E327C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1725923120349129
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjztiAGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i5:JZQQI5wBTr/F
                                                                                                                                                                                                                                        MD5:1FA312C300EAF5BFA425948EF86B5E29
                                                                                                                                                                                                                                        SHA1:FC2334082433C35182D9C8985D76B1142E7E3B9B
                                                                                                                                                                                                                                        SHA-256:F6AFCB80837930032C11D8E245D4E667D7248C0B8EE91204A6B78726FF2942D3
                                                                                                                                                                                                                                        SHA-512:102D5DEAEC5432AF1175B5D3C39A10F0F7548FC0FD49F94D601328AD14DAD8EEDA8B73D31B90A1FDC22C7E6C3E84C2C492896A9B290AFD611EDA8AAE0647AACF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{A09F8381-88C3-44C4-9DAB-AC44F4F4DB4B}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1717098594535904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjQiAGiLIlHVRpph/7777777777777777777777777vDHFN1P0onWl0i8Q:J1QI5dqorF
                                                                                                                                                                                                                                        MD5:2350500E00D58AD6C58B2DBE849A2FFE
                                                                                                                                                                                                                                        SHA1:0E994C58BDFB035E19461DEA8A51DB1DA19CB298
                                                                                                                                                                                                                                        SHA-256:63D41491823B3B7F7F489120A363ACF0E3B5F5A38C513DD38E1E3A8F97EB9C46
                                                                                                                                                                                                                                        SHA-512:8CEB6AEA9A17F31909E28F7E9758B98C1C347ED779DCD8A12FE57954F32BBF5ED31A39206D13F1C00AEB9EC403A4EEC2C7F49B764FEBE431CE621EA3769A1EAE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.170772404621315
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjQiAGiLIlHVRpuBh/7777777777777777777777777vDHFV2dGiWXl0i5:JNQI58/qDF
                                                                                                                                                                                                                                        MD5:A392102A544013FD8C3D8BB22BFFF933
                                                                                                                                                                                                                                        SHA1:685BCB11E6F4D86F76D110A0ADE2B68F5D05B46D
                                                                                                                                                                                                                                        SHA-256:389AD725682B36A335A6A1C5DD25968B4E8C178AA5E958089134170CFCEB27AC
                                                                                                                                                                                                                                        SHA-512:2553F8C98DF91318007EBDFCEFBC31F2C5F94DBB74B36FFE5E6F8C793BA391DB91FF2D394A30D2E0FB5F04CFA8EB4B42654C362A5EB183157F1DAC7C0CB77DB8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6077637467676742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:08PhuuRc06WXzAFT5Gd/8BzSjndd4d/EqdcrIbQySsndd4dNWeUJm:Lhu11FTQ/8Bz9Zc8NXeJ
                                                                                                                                                                                                                                        MD5:1FA714E38E6DC324A3AC9506AFB118B9
                                                                                                                                                                                                                                        SHA1:165A92EB00D70B2B23D0422847DA0ACEE2345AD9
                                                                                                                                                                                                                                        SHA-256:62EF59088A0386526C66246FE8D9F8D141A43DD1B9BB01221F1AF6D8188C4843
                                                                                                                                                                                                                                        SHA-512:68B0B70633C5B60B018324218DF1917DB428686763B232232E4D0554C78D186A6738987981EE37B1AF62BDE2FD7387DC2B96787C2D41AB2D82AF44C4D98F5555
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432221
                                                                                                                                                                                                                                        Entropy (8bit):5.375166037847143
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauj:zTtbmkExhMJCIpErO
                                                                                                                                                                                                                                        MD5:C1BD27B6F275F6EDFAFA2607FEB56F45
                                                                                                                                                                                                                                        SHA1:7B8022392EFE44E1AE7B3BD8B361B49A8D0F2337
                                                                                                                                                                                                                                        SHA-256:6D02F750B66CF092469ECCE34D8E3D4FE741F2838CBCE6C98EB224B992E8CFA1
                                                                                                                                                                                                                                        SHA-512:A95550472C89E5280FD5AEE6482262AB3E0DEEC8BEC9D3ECAD74CEB2D1C3AC84EE1D9708DE5A73AEEA9515A41CE7CA09AD21BE44B9CA603F6F17CFD981C52384
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704
                                                                                                                                                                                                                                        Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                        MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                        SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                        SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                        SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):471
                                                                                                                                                                                                                                        Entropy (8bit):7.2041805623023185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JyYO+t5GLsHKqCWArzAypfp0cCz7y+BjoE6IBsy/y+e:JRO+tILsBCHrBN9we+Bj76Ye
                                                                                                                                                                                                                                        MD5:D4594A676D2DBAA90FB3F993AEA7E90A
                                                                                                                                                                                                                                        SHA1:867D05F2888AD96D402F1B214D11FFDFB4A908F2
                                                                                                                                                                                                                                        SHA-256:DE941847E9277A4C2C8576C1463D4685730C986466476068D5F5BC0893CE9491
                                                                                                                                                                                                                                        SHA-512:AB2545583FBCA3B710706293CF2CD9DB7869AE613B1B0AA573B5CB37D82CC1365D676AE2D7ED10FDA3B3C59F73217E0C1F8AC24AA4C5F50DBF1F222543AE2EDA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20240804165849Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20240804165849Z....20240811165849Z0...*.H.............J.#vd...,..L...a.....jD.)*fT..(..H...>lW....}..Zn...J..<....Y.y........{&s-...!n.;.....j.I.o*..#..2`1..].u.g..3.& ....4-&go.f.....Aj?C..(....`.<<.|o.a:..``[..._8..Dv.*.].....$..mj..8;_.......,....dS.....\$O:......m..q.....G.....3<....{..@

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.583424873648925
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5o6Tq9xc5h44TUqFq7O9DTT64ySXxSFh31LpYmzx3FB+t/teVA/3za6JGyYo8Qmi:5gcoqBDNhSHv3Fy/oVAPu/J/+
                                                                                                                                                                                                                                        MD5:F88B81B5EB4EB6CCC78D514BFA419E2D
                                                                                                                                                                                                                                        SHA1:9C203D133D2A89D492E622F7506D3929DCB964EA
                                                                                                                                                                                                                                        SHA-256:CA97DDD33C87D120F642962AB9C47E8220E9579B5A2F15C330C2B4B8EE450361
                                                                                                                                                                                                                                        SHA-512:C734D7EE984296E9C9C2D55F28C0D86905D5673FEFCC71F99D8BDBECDEE987AF2BB9AD01A66652CA02213EE7DD2714158CB7BF8E5D94F02ABD3BE4F2B6FCB86C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20240804203649Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20240804202102Z....20240811192102Z0...*.H.............IApl.0......V.v.p.l..+...u......p.1....%h.D...?.t......7.kc...&...b.......2.E.........a_.q$[+V...0}..5-..O........;'z....:U.m..p.>...?..r.9...s...R..e.wKFMX.......7...{[').%.oB...w+.78.".....ynt...T7,..M..>L...q...I..,y\.hnv........".a..`....^}..x.z..6.....&.@rY@w..>u.............. M....._....S.n).S.q...x.S..!O....o:.Cb..|v2....,.@&S.....C.........c....8.P..55....7....b.P.d..f...>b....f{..m...`o..8O.:.N.u....,7 ......{5..M.0.w...nh....Pq...... v.6....=...6...M.?...Kd\T.'.V.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.5495086597731245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5onfZbUqc5RlRtBfQVUqmss7PGuUCTTloGG9YYZQNlxXuHi/gq3coSg:5iCqcdZJqmj6ul+vV6xHYZg
                                                                                                                                                                                                                                        MD5:A00F73FCB3A5F7280D12E12C60AC2222
                                                                                                                                                                                                                                        SHA1:1EF58C9AE73D1600F5D3E0EBD5A4EEAB1FE7A331
                                                                                                                                                                                                                                        SHA-256:802E13FDF6FBBF9A0EDAE48AE0E5A12E0EA28942F3A1C864785781C4EEC6A932
                                                                                                                                                                                                                                        SHA-512:FA55080EEC654F0877133447866665D054F0DC5BFD7E0C03B014D4D1DA7AFA3D1F9CCB07072AF7D479715F9DDC9F38D35D9135D62E94C6F1482E2DC1B56964FC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20240804184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240804184215Z....20240811184215Z0...*.H.............."...;...c...6.wC*.f.5g.._.^.P.7Qz.+....[]...~~....Qu7.D,..m...d..1VLU..2.,...e....5..#.\....t.........x...`.....un..b.*.*..../.?y....~.Z)...O....e.4.\.......q6y....x8.&;./J~.a...y....-.U.._.3....$3..11....D.P....T2..!.[.h.A6uH...[0..4.?.. M;"w.G..,lP...ht.....`....<.d.....h...n..'.q\......#...i...j..; kP.......A..5F.;LD..2O......<..^.....7.%..a.\7..u@..H.....&...A/`oj...$.T$U...u..=..X\..U.....I+..,......7..E.k.=...2..d..u.....[....G.+..n....A..).|.?.v..p.....k....}.B.......

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):338
                                                                                                                                                                                                                                        Entropy (8bit):3.423677968107401
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK/2r8lJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:ulkPlE99SCQl2DUevat
                                                                                                                                                                                                                                        MD5:D7BB6F09DAA23C91548635229BC4A134
                                                                                                                                                                                                                                        SHA1:4791CF76375F0A952FD72B405E010BDBE6192912
                                                                                                                                                                                                                                        SHA-256:581538095C16D85DF79FA5C1422406E59C3DA81A93B40332A0112B2D0E29E6A6
                                                                                                                                                                                                                                        SHA-512:221FF5BDBA4158D064843A2E68687A28E0E3E18B504AA3F6178C5295DEC8051D00BBC2B96CB0E831663CE9FDAF1B6B48CBD48040870B19C167EB99173A516BE9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........b..t...(................................................".17... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):400
                                                                                                                                                                                                                                        Entropy (8bit):4.019478574566422
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKDvlltSNaMXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:RmpmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                        MD5:9E0C2ACC87ABF80520500AAA80C5E189
                                                                                                                                                                                                                                        SHA1:CB455308368EF459D4382571040B46C05EFEB472
                                                                                                                                                                                                                                        SHA-256:FC186D550F971FFFB8CC9FD5B7E668252AF7681B78DA8ABA39145688690B4E89
                                                                                                                                                                                                                                        SHA-512:B633E0A90055B00BC03281E6204CF54AFA7B8F497CDD4452F4C2BED355939D23DD6D2274A13D2D1852E69BA4A084FDBEB64C0039133E6438B75443B976E22200
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........@...t...(.................|......*a......................*a..... .........Q.n... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):404
                                                                                                                                                                                                                                        Entropy (8bit):3.9417533081420757
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK3UC1Yl/G2/9EKfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+Ksc8:jilT/9mxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                        MD5:880A4DC9E99080B3435A60E69F7AB108
                                                                                                                                                                                                                                        SHA1:AD04A39B846F958BF304E8D515D55C323A2E900A
                                                                                                                                                                                                                                        SHA-256:5CAFFB0AEF408BAABF279D761656B59C62F85B24B8B41F3719BB7BF42751E841
                                                                                                                                                                                                                                        SHA-512:E9E09455F0D72D900B1AAD3FDE94EE1BF1DECFC7AD4C0FE4C33FF3B6E3DF751A7F4104616F9531B88A302942056890996C4769D8D52E70850C21677477278630
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .... .....5.z...(.................Q......q.#.....................q.#... .........kvn... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                        Entropy (8bit):3.2091018677016283
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK5D/k3zNcalgRAOAUSW0P3PeXJUwh8lmi3Y:FsCtWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                        MD5:00CBAED6637D6926151AA8B9B6A1EA0C
                                                                                                                                                                                                                                        SHA1:CB5B5B0D7EE8E9B1454E721ED769FEE5BE0A225C
                                                                                                                                                                                                                                        SHA-256:4A9897D9A748667E63BB0B86E7EDC363A826A5A4F56A2191A6E04ABDD090A731
                                                                                                                                                                                                                                        SHA-512:12DF9E56EEDA2D4EA3F08F0E0BD3D1D090CACED98681DC302ABEA725B7C2F97A40AA67F3F3156A23CA18AC1EB39AE2732FCA9AB275436172AC32456BF6830AFC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ..........bWz...(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                        Entropy (8bit):3.9704147854087974
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKkVDEZp/SZfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:auRimxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                        MD5:5AB99FADA1E3E766F9A5CB5698E3B290
                                                                                                                                                                                                                                        SHA1:A20010E110289996C12791DC64571F8FA1334964
                                                                                                                                                                                                                                        SHA-256:95FF856A8EC76039D518DC0450EF966520F0173CDA74CDD7081ABCAA36AE5AED
                                                                                                                                                                                                                                        SHA-512:85D4AE29C7FA140DA4842EDFBA7B619563F7289B9890C2DC68A51A00583FAC45A22189958A645FB7F1E7C271A0D12D3DE921D78F34B4B2371CAC7B1810EED448
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....(....U..t...(................]........q/......................q/.... ........>G.p... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                        Entropy (8bit):3.053292038113393
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK6sNLLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:FNLLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                        MD5:00957505B150D6AD8DC979A9CB493907
                                                                                                                                                                                                                                        SHA1:54555260A0A86C12CDEF35A2A2F8B03E7631C606
                                                                                                                                                                                                                                        SHA-256:845DB3A99A3848155282E6FA80E1A1A6646F696FF4F623EFE26665B21F921170
                                                                                                                                                                                                                                        SHA-512:CAFF979C0A8EA80BD97D0318B5193C4D3724F060A9C51C8550C818FE66031A4E9444F453D4140566B756345E79439FF54B97FB820C4E549CD832B974D1A85BC9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....l...r..kz...(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1950
                                                                                                                                                                                                                                        Entropy (8bit):5.344231540116017
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT44HK28mHDp689:iqbYqGSI6oPtzHeqKkCq13qhA7qZ44qA
                                                                                                                                                                                                                                        MD5:2760599A0CED9D2591A6446C807AC183
                                                                                                                                                                                                                                        SHA1:707CA5CB792E58535BE74ACBDB629CD9A4837CF7
                                                                                                                                                                                                                                        SHA-256:E94621939545D2DFF125951E2C56BFB6B79C24D26744565CFA80D11875BB1D13
                                                                                                                                                                                                                                        SHA-512:6E510DCB3E81B1AE6910666FCADEAF9B40A8FEED3AD2F7F97D07BA428FA67348CFEDC3E55E12F43CAE5462243CBB42292F16570A696217F69F24369F040E078A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1944
                                                                                                                                                                                                                                        Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                        MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                        SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                        SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                        SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1983
                                                                                                                                                                                                                                        Entropy (8bit):5.345248756179348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                                                                                                                                                        MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                                                                                                                                                        SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                                                                                                                                                        SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                                                                                                                                                        SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1933
                                                                                                                                                                                                                                        Entropy (8bit):5.355086078533374
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HhHKe6PfHKWA1eXrHKlT44HK3:iqbYqGSI6oPtzHeqKk9Bq13qhA7qZ44y
                                                                                                                                                                                                                                        MD5:48BE58ECCC69A336811B1F7A06CBB42D
                                                                                                                                                                                                                                        SHA1:97487FBB71E394F03DBBAF0144B8ACF949BC8862
                                                                                                                                                                                                                                        SHA-256:33500DF352C1FB6D3D006FB32E0601EB89B52C79B5D5287213D082D9D19603C7
                                                                                                                                                                                                                                        SHA-512:0A6E33102F09C3F1C0D89D251511FE5FFA5AB153FC0ECE9284D7FAAE3682168717EDE437D761E4EC321D5971D50255D8D3406B63D1E964F5D72DD966C0D44878
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):3043
                                                                                                                                                                                                                                        Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                        MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                        SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                        SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                        SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1722
                                                                                                                                                                                                                                        Entropy (8bit):5.366509527070196
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT4fHi:iqbYqGSI6oPtzHeqKkCq13qhA7qZ4fC
                                                                                                                                                                                                                                        MD5:12EDC7C8880BE159C159CCB8144A5011
                                                                                                                                                                                                                                        SHA1:CB75973C194B8131E0BBAFEC417E13F040DEEC42
                                                                                                                                                                                                                                        SHA-256:96935DE33B56EC976A012F6B2D00E39E66CF18735D5A65FBD849CFA0648C8A22
                                                                                                                                                                                                                                        SHA-512:C11A8DD3774B5FB0E6D9326759D039203C23B657F47F17AC1920C425F54E4B0FA44AE93ED87302603E330F75EA359E7969B7CBFEEC0DC432F88DA5551CA7D1B5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1933
                                                                                                                                                                                                                                        Entropy (8bit):5.355086078533374
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT44HKRHi:iqbYqGSI6oPtzHeqKkCq13qhA7qZ44qE
                                                                                                                                                                                                                                        MD5:A2068CF2C7C5A1DB663DFFDEDDC96962
                                                                                                                                                                                                                                        SHA1:D7FBB091C747A607854E3268457F7567D7B363FE
                                                                                                                                                                                                                                        SHA-256:67B5A18352DAEE1ED057CCD4B6F967DA285B9636FA83BAF3480701FF8D917395
                                                                                                                                                                                                                                        SHA-512:BF130285468B26E4EA69C736A3CDA41271828AF543A1B3792469F5D7652FF5532B4AE4EB3348301ECA913F5846523A74433A43A63F3FFF9540A6C48849CAA25E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1727
                                                                                                                                                                                                                                        Entropy (8bit):5.343723162826375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT44HKmHKe6P8mHDp689:iqbYqGSI6oPtzHeqKk+qZ44qmq1nD
                                                                                                                                                                                                                                        MD5:8F261A78E0BA45A61C647FFAAD12969B
                                                                                                                                                                                                                                        SHA1:84AB09FE2321189C0F62B71B721BF3C656B7B276
                                                                                                                                                                                                                                        SHA-256:C198A0C7316C820D7F4A915327007E08E8DA8F99F962B323158837CCAC4D1D27
                                                                                                                                                                                                                                        SHA-512:4194EC90DAE6641CDD974E4021A3FF74F2357274651CC42050D3091B752854E9EA536760EFC74031D305924F0F447D6B8C413279CC44B499CC88C1840B8F6D0F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1499
                                                                                                                                                                                                                                        Entropy (8bit):5.341844552740347
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mHE4KXWE4Ke60:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT4A
                                                                                                                                                                                                                                        MD5:1F102800C2B4B52354570886D784EA54
                                                                                                                                                                                                                                        SHA1:B84148B4A84AF5669134EB9EC27904A05E2517D2
                                                                                                                                                                                                                                        SHA-256:8367F22954F447B469ED78A27028539219651BEB79AFF371045A3347E99B906A
                                                                                                                                                                                                                                        SHA-512:AE4C42696AC5C7F532820D0B5D2412FEAEE4641884B189559C25989E013E09D799C10C98DDC6813D9F7C76A475C34DF8A48BAFC2F5D17708CF5440F931D1CE0A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1075
                                                                                                                                                                                                                                        Entropy (8bit):5.353521172341231
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                                                                                                                                                        MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                                                                                                                                                        SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                                                                                                                                                        SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                                                                                                                                                        SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64
                                                                                                                                                                                                                                        Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:@...e...........................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):225742
                                                                                                                                                                                                                                        Entropy (8bit):3.7875131596369114
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:W8j9/auV3gXm7joeNx/iFWJBV5Vm5Xvn9Pqeek4sk7MnXNuHTgrQNoboN26L58Ac:WrojOJgEZGjIR/e4fzvIs3+y
                                                                                                                                                                                                                                        MD5:1CA40EA969B4EA39B45251B366ABF03A
                                                                                                                                                                                                                                        SHA1:414D4B6BB5BF0229DCE5C1A977ADB7B93CA69975
                                                                                                                                                                                                                                        SHA-256:4E44F0D3E6EFDADEBB941D86E0C271268D40C439407CB86F75AC5D17B132E5BF
                                                                                                                                                                                                                                        SHA-512:F937A25DAC0C46D7BCC3374A8B21573A7DBF153008BA66281AB0D9B7FCC11D6B3ED010BB9B809167E5F7049ABF5D7D584B74555497FAC279D5810E0FFFE9BC25
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.5./.0.8./.2.0.2.4. . .1.6.:.1.9.:.0.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.B.8.:.B.0.). .[.1.6.:.1.9.:.0.4.:.3.7.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.B.8.:.B.0.). .[.1.6.:.1.9.:.0.4.:.3.7.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.B.8.:.B.0.). .[.1.6.:.1.9.:.0.4.:.3.7.3.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.B.8.:.B.0.). .[.1.6.:.1.9.:.

                                                                                                                                                                                                                                        C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240805161932_000_dotnet_runtime_6.0.32_win_x64.msi.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):532420
                                                                                                                                                                                                                                        Entropy (8bit):3.8390186203268195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:olbZNjkWfr0dnYzMCjnWuxZLQYQpmvrV6QqwshYZY27XB1jDAwjR8QWRhk/WBSH+:Sjkpj
                                                                                                                                                                                                                                        MD5:56524D1400CD96C35BED470034385861
                                                                                                                                                                                                                                        SHA1:DE73B75C504754548A695100CD5B4106AD55B601
                                                                                                                                                                                                                                        SHA-256:3E19E58618DA767DFAE48A0DC2CA84A76CE50332D94BA5CFB7E50C09EE9630C7
                                                                                                                                                                                                                                        SHA-512:FD541D939F500AD846472C5D30FB0AE90BB62ADAC4EF59CE9164078EC4E2F1A1790C4786260F7E71E710FFD6C54552362464E119C371FDBBF6213BB32029EA4A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240805161932_000_dotnet_runtime_6.0.32_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.5./.0.8./.2.0.2.4. . .1.6.:.1.9.:.3.9. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.D.D.2.2.D.4.F.0.-.F.8.4.3.-.4.B.3.D.-.A.0.B.4.-.4.9.8.D.A.7.2.1.0.F.B.E.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.2.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.9.0.:.2.C.). .[.1.6.:.1.9.:.3.9.:.5.5.0.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.9.0.:.2.C.). .[.1.6.:.1.9.:.3.9.:.5.5.0.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.9.0.:.2.C.). .[.1.6.:.1.9.:.3.9.:.5.5.0.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.3.F.D.C.F.0.A.2.-.7.C.1.F.-.4.1.C.7.-.9.7.4.9.-.0.D.9.1.E.C.2.1.6.A.E.D.}.v.4.8...1.2.8...1.6.7.4.3.\.d.

                                                                                                                                                                                                                                        C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240805161932_001_dotnet_hostfxr_6.0.32_win_x64.msi.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (400), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99398
                                                                                                                                                                                                                                        Entropy (8bit):3.798649792209229
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:tIwhm26WTYPzA7LA1JwfGm2AB925AiSY/ZCWW0AJAcA8AxAPAJpA6FAqGAd/z4aD:tUAjbjwj8/0
                                                                                                                                                                                                                                        MD5:8BA1868E8D259421786F2DBBA4033371
                                                                                                                                                                                                                                        SHA1:15C91D0D41ADD9A8CE75C81A0E175BA903CBDB1D
                                                                                                                                                                                                                                        SHA-256:F61E7D60F84555FA719F05833484476BB411D21DB919A93B57C8E340106E2614
                                                                                                                                                                                                                                        SHA-512:432C88FBB7E8F951323C8B5E51105BB07A65B3D0DB8EFE7A04D6B78D7C9394C9395F159388B4F80069C52398CE7298AFC9252BB1E0ECEC1F91AE4651DE1D707B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240805161932_001_dotnet_hostfxr_6.0.32_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.5./.0.8./.2.0.2.4. . .1.6.:.1.9.:.5.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.D.D.2.2.D.4.F.0.-.F.8.4.3.-.4.B.3.D.-.A.0.B.4.-.4.9.8.D.A.7.2.1.0.F.B.E.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.2.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.9.0.:.7.4.). .[.1.6.:.1.9.:.5.4.:.0.0.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.9.0.:.7.4.). .[.1.6.:.1.9.:.5.4.:.0.0.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.9.0.:.7.4.). .[.1.6.:.1.9.:.5.4.:.0.0.3.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.6.6.7.C.B.6.5.3.-.7.0.E.1.-.4.E.2.B.-.9.C.8.E.-.6.A.0.2.A.6.C.F.8.8.B.9.}.v.4.8...1.2.8...1.6.7.4.3.\.d.

                                                                                                                                                                                                                                        C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240805161932_002_dotnet_host_6.0.32_win_x64.msi.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (385), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):109720
                                                                                                                                                                                                                                        Entropy (8bit):3.7980688469017045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:xB9f3xUZ58+ABkNSrgS6siyxn5asvh5BbQ/+kn04Nt6DEpMMAZjSxRdpwzDk31gj:xJhjSigtaKpS1+TMyO
                                                                                                                                                                                                                                        MD5:520077440F795E4757FA6D0C46AE00EA
                                                                                                                                                                                                                                        SHA1:81B6999757F4693CB16FDBAEF7EF47786F8CEA7E
                                                                                                                                                                                                                                        SHA-256:C9D253AB4FA01F0B4E330ED134B53F886B5C9D900A7C1FDFA9725757314B1A47
                                                                                                                                                                                                                                        SHA-512:CB42E093512476F28844A3BB2745864A8485F1F1637B3FB658D072CCAB84B4C282448FE37B6ED51A3ED9BAE9F21769FC432000CA43CAEFB1F3BB019B9A93D799
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240805161932_002_dotnet_host_6.0.32_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.5./.0.8./.2.0.2.4. . .1.6.:.1.9.:.5.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.D.D.2.2.D.4.F.0.-.F.8.4.3.-.4.B.3.D.-.A.0.B.4.-.4.9.8.D.A.7.2.1.0.F.B.E.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.2.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.9.0.:.F.8.). .[.1.6.:.1.9.:.5.4.:.6.5.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.9.0.:.F.8.). .[.1.6.:.1.9.:.5.4.:.6.5.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.9.0.:.F.8.). .[.1.6.:.1.9.:.5.4.:.6.5.9.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.A.0.9.F.8.3.8.1.-.8.8.C.3.-.4.4.C.4.-.9.D.A.B.-.A.C.4.4.F.4.F.4.D.B.4.B.}.v.4.8...1.2.8...1.6.7.4.3.\.d.

                                                                                                                                                                                                                                        C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52853928
                                                                                                                                                                                                                                        Entropy (8bit):7.941280777334469
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:786432:iTVOuIdnXeYOf9QBOgMqoaen728gEb4dIgEdj8SmIqm50muEs:AVO+4bvXQ/mo50mhs
                                                                                                                                                                                                                                        MD5:7C4902773A19057DA00AA30C3D2EF267
                                                                                                                                                                                                                                        SHA1:175A455382D44852C57248C1F504EA056D514226
                                                                                                                                                                                                                                        SHA-256:E3F7DD9B306C06C128178B13FF641637CD50722BC92D38E368157FDE94470A58
                                                                                                                                                                                                                                        SHA-512:6A09E4DC54FE0B696EC46B7A47523DE4A951009AE527825D32D6828925C02B3EF0A629C97A0044812A4EC31C44E0E11E7D5FEFEDDD2883AD9842BAB9AE6347CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{.}.(.}.(.}.(..8(.}.(.}.(...(..>(.}.(..((w}.(../(N}.(..!(.}.(..?(.}.(..:(.}.(Rich.}.(........PE..L...3..f............................./............@...................................&.....................................h........ ..(............T&..(..........`................................h..@...................$........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_aave5d44.fg4.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_er1aztug.tx5.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_io05ruhc.2nf.psm1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_ljd22fdw.2bz.psm1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_qch44wlw.1fc.ps1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                        C:\Windows\Temp\__PSScriptPolicyTest_zaxc4mol.ghs.psm1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                        C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF03343DD798B212B3.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2778089812392408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FOLuXth8FXz/T5bydfqqmBSjndddwEqdGUDjrbQiSsndddSE8Qq:wLXBTVufqqmBf3DHNaQq
                                                                                                                                                                                                                                        MD5:D528564E6B231B1FFBE6099E3BAA245C
                                                                                                                                                                                                                                        SHA1:3429CF4B729D9B4BDC9FC782923AFABDE006D1E5
                                                                                                                                                                                                                                        SHA-256:0B058DA4A88180C702BB00261691D67408F057D4C285DC70A1F206E4BEA53A4A
                                                                                                                                                                                                                                        SHA-512:9ECF0D505CFB8FFF733C5C88F6F6FCFFF76148206C97150C15304FB1AB15EA595A504C021C00152ED28FE788C071D36E1C73FA46E4479235FD1CC2D2BFBD3771
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF03343DD798B212B3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF03343DD798B212B3.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF06EFE7E1CBF36F11.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6047714907141517
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:98Ph4uRc06WXzAFT5vd/8BdSjndd4d/EqdGUDjrbQSSsndd4dXE8:gh411FT7/8Bd93DHNg
                                                                                                                                                                                                                                        MD5:D76F903BC682A7EBD580BAD0D67E7AD5
                                                                                                                                                                                                                                        SHA1:085B97AEF044202739804EED1788CFD43254BC6C
                                                                                                                                                                                                                                        SHA-256:D0D2A95FEBF9F56FA19BFE3E5A0A90D270F2129E44AE21481C67714D00989BBF
                                                                                                                                                                                                                                        SHA-512:F795774A02E062A799BC0BE68E589C40380E5B6836F086B1CE24A1A4D061575C43635DE887467D4BA5B2B58A8BD882CDC1BF2BB771B6095664123DCD40E52220
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF06EFE7E1CBF36F11.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF08FEF053D1F39F39.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14509362579992716
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TUSEuSsndYSjnd/EqdGUDjrbQaRECdYm8d:AiWI3DH9E+n8
                                                                                                                                                                                                                                        MD5:D3287EB5C980BD114959C329BF33BCCB
                                                                                                                                                                                                                                        SHA1:5FE20BB15457D1D86203C35ADD94539543261A64
                                                                                                                                                                                                                                        SHA-256:8FFD54084FCD66B7075B85E3EC34248581760DA2456B9A04DA7FD615ABB3B87F
                                                                                                                                                                                                                                        SHA-512:E7771404F73199BE3021249E6DCABBD906B7A21F219B7F0ADDE5D6C348DABA6E959EABDAC88104D4507D1B765914047B9B1FBCDA865E1A8E1FD7F3656287E8F4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF08FEF053D1F39F39.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF08FEF053D1F39F39.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF0FCCCEC04C4E4A0B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF14BC8CA5237641D8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.0005912007004407
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:EMMXukPveFXJfT5pEIDdYzqISoedvPdvbCnuhnq9JndydStedvPdvxubS:kXUHTnBDd5IciuBuJy4
                                                                                                                                                                                                                                        MD5:C329C16AF911E92532B8F1C75F505424
                                                                                                                                                                                                                                        SHA1:6ED501349C31FA9BE200F0C10496584EFEADF0B7
                                                                                                                                                                                                                                        SHA-256:3C86AC30B067A836F02D99DA9045E9F0D7A5EC551939F0C3C7F3583DAE4303E4
                                                                                                                                                                                                                                        SHA-512:C5719890ABFC60A6E5FE2F429ACBB0F27FDA4866F0A87FFADBD3CCE599D1FC8039D28C3893BA4CE544323689F9659D183F392FD477A34A96823A8CBE49E1B353
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF14BC8CA5237641D8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF176FC881F09CB850.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF19C6FA00A9D9B82D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2821556586620275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:uhmulth8FXzFT55d/8BzSjndd4d/EqdcrIbQySsndd4dNWeUJm:2mhrT9/8Bz9Zc8NXeJ
                                                                                                                                                                                                                                        MD5:E782886273D0E96254761DA27FCA7DC6
                                                                                                                                                                                                                                        SHA1:658CFCE5382D0120E66EDD6F46C00D0D03ABF6B4
                                                                                                                                                                                                                                        SHA-256:7905097BDBAE2BAB391C5F5C2F78580182E686EFE3F8BE4AAA532AFFC34B603A
                                                                                                                                                                                                                                        SHA-512:81FE03CDE015DB427EBCE0E71E6BB19FFA6831D987C7EF6866374C888B7C2A1804BD538D41851F9F33ED1DECFC396DD7B3B12597C8B4DFD1A2F692A09A5EBC42
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1C3125597A8D039C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1CAAE035A3979FA8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.570021166044967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:iz8PhFuRc06WXz+FT5bfdYm81EGiSjnd/EqdGUDjrbQ6Ssnd/E8J:iahF1jFTPn81EFI3DHNP
                                                                                                                                                                                                                                        MD5:28D97CCA6BB84E0BEAE3F6F5E15DE49D
                                                                                                                                                                                                                                        SHA1:42BCB5AB606E47BB127497115ADB89DA86F57BD0
                                                                                                                                                                                                                                        SHA-256:4B48B66BDAFA78B7650A174CDA1E936DBF0E779A37D9AF7631CAB78CC1C099D5
                                                                                                                                                                                                                                        SHA-512:4C2E7085AEEDF318D7DB450C5A9136EB6CA76826411536A40DEB002E6B28CF387FC7A2C4F6DDBE303074E52AA682797A8153A5C1C4107B8A5FDB9022B81E0A9A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1CAAE035A3979FA8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1CAAE035A3979FA8.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF21CA5F3980719AB4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.25741146952904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:v6ruHth8FXz/T5ldYm818Sjnd/EqdcrIbQaSsndVWeUJmJ:yrLBTxn818IZc8NueJ
                                                                                                                                                                                                                                        MD5:9589AD573982BE87C0EE53143776B2A1
                                                                                                                                                                                                                                        SHA1:D4E07E86019290A59AF6314052615B600E55B30F
                                                                                                                                                                                                                                        SHA-256:CF4DE5FC1793A84ABAAD9DAA1D671D87151C641A235A9141B5A39FA7B3F7A9E9
                                                                                                                                                                                                                                        SHA-512:0EC20C964BC5BA3B78B32A642FAFE67A9EF87AA41876CFD0F99A1A7C1FDABA58F88AEF0BCB621C34AC60B569281B024BEB06A6C0D0C74C0B81449AFC20C88997
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF276DA0468B93875F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2936DF211C6B5571.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6008692791240802
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:u8PhTuRc06WXz+FT5sdfqqmBSjndddwEqdGUDjrbQiSsndddSE8Qq:hhT1jFTefqqmBf3DHNaQq
                                                                                                                                                                                                                                        MD5:D6494435C7A3D0F829855F4D1FB4D80C
                                                                                                                                                                                                                                        SHA1:30455E8AE603DBB0DB881215AEFD16C509A32643
                                                                                                                                                                                                                                        SHA-256:65A1D2CE6FF64AEE2E309CCEB4BD877E6D152E2347FD40AECF7838150ED9492A
                                                                                                                                                                                                                                        SHA-512:E2430A94127B92813AF193EFA8BA0D347EF974D9218DA45A6F501E0354B8CA66E789E48ED904712CE56C011D519C3EC9F0BABD9723A4FACCDB6A6FACB6865A7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF2936DF211C6B5571.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2984BC378772D080.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF2BFB5A336102BC12.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF34E599F702941793.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07664228219240864
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOf7gAtIddUiHHgLyVky6lX:2F0i8n0itFzDHFV2dGiWX
                                                                                                                                                                                                                                        MD5:B0DCFA5013C5EA81E1BADB3F401556E8
                                                                                                                                                                                                                                        SHA1:4CBEEBE8B5BD173B641A88D55749018D02C37B11
                                                                                                                                                                                                                                        SHA-256:BFE51705AD40C8EED4BE8F890B7A12ABBC559055CACA672B22D987A89FE1D61A
                                                                                                                                                                                                                                        SHA-512:1A749E29FE0DA89753CA0EA5886A33D3A4A7E4F838C60A2F1A0A25DE58FED2A51D2A39223753A1C0699F3168B6CEC944275FDDA4467D56AD1DDA251CB92C7422
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF35E3D090FA5CFDB6.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.23019757709124
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:UVUuKPveFXJfT5CIDFGmqISoedGPdGTfaStedGPdGTn:IUGHTdDFkIHD
                                                                                                                                                                                                                                        MD5:F9F503838E80E0F685321259D301B072
                                                                                                                                                                                                                                        SHA1:98F51D5E167E4DF08FC93FEB32C700D7C6E21C93
                                                                                                                                                                                                                                        SHA-256:C4D3C0BD35DAACD8236FC85A853C07B709C220720A6879B18AECD310ECB919C9
                                                                                                                                                                                                                                        SHA-512:C7F3394A910155690EA4380238716494786ABEA463A56E96C91FE9E49BCEA85F4FB39BFB0CD71804B7EA778A3C80CD12177C29394044C71F1085D1E6FEFF4D61
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF35E3D090FA5CFDB6.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF37013C52B0990D2E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.15852703109702018
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:oaEuSsndd4dASjndd4d/EqdGUDjrbQE6d/8:oa/93DHdW/8
                                                                                                                                                                                                                                        MD5:D19153F732A963E60244D0229A863CBA
                                                                                                                                                                                                                                        SHA1:990618F0F46ECE55C1E7080A6F9B45CF3FD8E2F4
                                                                                                                                                                                                                                        SHA-256:96BF801CE459D48B14F69C1E8BA9BAE5453DB5762FD9531BB76FBB085EB6AE0B
                                                                                                                                                                                                                                        SHA-512:1BC8DDE0ABA340F17DE2A59CC04057AFE923E98340E45B9587BF7BCF0F97E6AF2F332A3E421567E32F0BB4B22998BA41FF7192A732EC1BEF8D19C98F78362CE7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF37013C52B0990D2E.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF396E6513230C9AD8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2796363948290237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:i9OduFth8FXz/T5b1Qdfqqmsd1SjndddwEqdcrIbQCSsndddwWeUJmQq:iYdBBTV+fqqmM1fZc8N1eJQq
                                                                                                                                                                                                                                        MD5:BE991614D8526E6AA77D4EDF83FC6C71
                                                                                                                                                                                                                                        SHA1:C6A24DC5339BB786859DFB2C9C852B74353C6516
                                                                                                                                                                                                                                        SHA-256:A7E00EAD0CDA9C928A7EB142A93C04F8D2ABB4162DEA7FF5049DCC3CCAB08B71
                                                                                                                                                                                                                                        SHA-512:D43B92095DCD0A136FB06964882D4E75508E1FF177B939325EC37F3EB47CD3CB7A89025862FEF37A5667D9DE6C12C7F39C30A6C8CD3267B3ED9BB679526C3675
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF3A388C92AC19388E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF3B0E0EE6299AB0E4.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2802178080864537
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:2hwu3th8FXzFT5Qd/8BdSjndd4d/EqdGUDjrbQSSsndd4dXE8:+w3rTS/8Bd93DHNg
                                                                                                                                                                                                                                        MD5:20A77996360BFB8B3870FEDAA036475B
                                                                                                                                                                                                                                        SHA1:DC824EE1AEA2E439D72B11681880C19F126AD4D3
                                                                                                                                                                                                                                        SHA-256:6E0B79EA9BEF65545EAD6C205EACD07E06E8350E3B869D0AB7DCA69508D1751D
                                                                                                                                                                                                                                        SHA-512:9E2C86DCC9B44AFD75EC8AF12A9262A8ECE75C8367C773EF09680CF3BD21E159B7EB4B827900788C0841B4ED7041BD84F44307ADC6E084F42A89C9203E98AF2A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3B0E0EE6299AB0E4.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3B0E0EE6299AB0E4.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3B0E0EE6299AB0E4.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3B0E0EE6299AB0E4.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF3CDDF3C09B96D1FA.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF422F44AE7C75A3BE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF43E931AEB68AA588.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.16327658939189013
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9JndyIYMmL:hybIciuBuJzzm
                                                                                                                                                                                                                                        MD5:FF79F5FDBE6F9B5A6AB06B5B0B256673
                                                                                                                                                                                                                                        SHA1:E6C9FDEAF2A340327FD2FA906EA67F290A36A7AC
                                                                                                                                                                                                                                        SHA-256:352C5B5B1559338BDF374BAACB5C3AF891AF02AEE73860D617E890FE430CD525
                                                                                                                                                                                                                                        SHA-512:8FCE0A953283FAA7713A5F91D4D327FB4A658DD7CD882E54EB6D0A378AFD0D3A23DDDF25CA197EA44D9AD46BE33B00048B2958C2D941213E81D489AB54440138
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF43E931AEB68AA588.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF46A5B83EAE27CB43.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5068EF22341C50FA.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF52BC5F62D395629E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF55BE75C8FB960A2A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.0005912007004407
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:EMMXukPveFXJfT5pEIDdYzqISoedvPdvbCnuhnq9JndydStedvPdvxubS:kXUHTnBDd5IciuBuJy4
                                                                                                                                                                                                                                        MD5:C329C16AF911E92532B8F1C75F505424
                                                                                                                                                                                                                                        SHA1:6ED501349C31FA9BE200F0C10496584EFEADF0B7
                                                                                                                                                                                                                                        SHA-256:3C86AC30B067A836F02D99DA9045E9F0D7A5EC551939F0C3C7F3583DAE4303E4
                                                                                                                                                                                                                                        SHA-512:C5719890ABFC60A6E5FE2F429ACBB0F27FDA4866F0A87FFADBD3CCE599D1FC8039D28C3893BA4CE544323689F9659D183F392FD477A34A96823A8CBE49E1B353
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF55BE75C8FB960A2A.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF58D8FA70D0B335F9.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5A207730E5E32B50.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5EF9CB7A00E44950.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.1455393832669032
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TUoWeUJ4SsndYSjnd/EqdcrIbQy/dYm8:APe9WIZc8DVn8
                                                                                                                                                                                                                                        MD5:0271FC167F336FD2C5EF4C15E3279DD0
                                                                                                                                                                                                                                        SHA1:7A0477ADB6AC609650AE8C4F424A388B253E36E7
                                                                                                                                                                                                                                        SHA-256:8F27AE9059DA0111E63337A1D049B75FFF8463267BF783F55DE0D1D09CD8A0CE
                                                                                                                                                                                                                                        SHA-512:87AA4ED9DD334F060007AADAE06CA88DA065EC9B605CEA4883841492E3C52FE76531DD74261C3C20F91A6C51786C678F3D6198A0D17A2F2C4273A5E02E989CC7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF616B64C316CB0102.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07896689188905408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOAYJFROO+G9IbSVky6l/X:2F0i8n0itFzDHF7DRONN/X
                                                                                                                                                                                                                                        MD5:FC085151AC0BD68B194323C7908CA49A
                                                                                                                                                                                                                                        SHA1:4A5C9448EFDD9AD87B9C7843D2C6519C24714B08
                                                                                                                                                                                                                                        SHA-256:05E716D0BC6AE5C79D82BB4532AB460E0C341F227B47F84FEEF5B3831C145CD6
                                                                                                                                                                                                                                        SHA-512:6044C1DF5E4161E65DB91D072B7CFA8CED9556741BBF6322CBB2DF4498CBD1B6E23CA49DD438AC7BCFF5B9C6347D664F2329E98F0BD684D303C9806BB184B38D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF63C7C9D4F8048B9E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.23019757709124
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:UVUuKPveFXJfT5CIDFGmqISoedGPdGTfaStedGPdGTn:IUGHTdDFkIHD
                                                                                                                                                                                                                                        MD5:F9F503838E80E0F685321259D301B072
                                                                                                                                                                                                                                        SHA1:98F51D5E167E4DF08FC93FEB32C700D7C6E21C93
                                                                                                                                                                                                                                        SHA-256:C4D3C0BD35DAACD8236FC85A853C07B709C220720A6879B18AECD310ECB919C9
                                                                                                                                                                                                                                        SHA-512:C7F3394A910155690EA4380238716494786ABEA463A56E96C91FE9E49BCEA85F4FB39BFB0CD71804B7EA778A3C80CD12177C29394044C71F1085D1E6FEFF4D61
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF63C7C9D4F8048B9E.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6703CD2B5D6F0133.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2210309836327626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:x8PhcuRc06WXJEjT5OIDFGmqISoedGPdGTfaStedGPdGTn:Mhc1HjTZDFkIHD
                                                                                                                                                                                                                                        MD5:036247CAA4974AA6140E608C38DD34F4
                                                                                                                                                                                                                                        SHA1:06958CC942D1442072B045F57E9F2BBACA82402E
                                                                                                                                                                                                                                        SHA-256:8BF38AD5F8DEA32DFFB3526865FB78981FE0F8F36639D5E509031B2A2AE3A8F6
                                                                                                                                                                                                                                        SHA-512:05BF39A6CBCC7CCA472C569F0DE43833405A07D155BE9A94E358EFD44D9CDD60D38E288B58DFB6C08F5A125CE697AC96846106F015A11EAAA6BAB63A0D60DC16
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6703CD2B5D6F0133.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6982EF410D658C6F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.077966497703753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                                                                                                                                        MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                                                                                                                                        SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                                                                                                                                        SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                                                                                                                                        SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF69F4A2E7C0D35127.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6D6CB2CCDD7C0A00.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2796363948290237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:i9OduFth8FXz/T5b1Qdfqqmsd1SjndddwEqdcrIbQCSsndddwWeUJmQq:iYdBBTV+fqqmM1fZc8N1eJQq
                                                                                                                                                                                                                                        MD5:BE991614D8526E6AA77D4EDF83FC6C71
                                                                                                                                                                                                                                        SHA1:C6A24DC5339BB786859DFB2C9C852B74353C6516
                                                                                                                                                                                                                                        SHA-256:A7E00EAD0CDA9C928A7EB142A93C04F8D2ABB4162DEA7FF5049DCC3CCAB08B71
                                                                                                                                                                                                                                        SHA-512:D43B92095DCD0A136FB06964882D4E75508E1FF177B939325EC37F3EB47CD3CB7A89025862FEF37A5667D9DE6C12C7F39C30A6C8CD3267B3ED9BB679526C3675
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6DBF541369B77B0B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6EF43F7DE34E2402.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.0005912007004407
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:EMMXukPveFXJfT5pEIDdYzqISoedvPdvbCnuhnq9JndydStedvPdvxubS:kXUHTnBDd5IciuBuJy4
                                                                                                                                                                                                                                        MD5:C329C16AF911E92532B8F1C75F505424
                                                                                                                                                                                                                                        SHA1:6ED501349C31FA9BE200F0C10496584EFEADF0B7
                                                                                                                                                                                                                                        SHA-256:3C86AC30B067A836F02D99DA9045E9F0D7A5EC551939F0C3C7F3583DAE4303E4
                                                                                                                                                                                                                                        SHA-512:C5719890ABFC60A6E5FE2F429ACBB0F27FDA4866F0A87FFADBD3CCE599D1FC8039D28C3893BA4CE544323689F9659D183F392FD477A34A96823A8CBE49E1B353
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6EF43F7DE34E2402.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF702BA28DF6D46384.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF72D28FD5EAE5BFDF.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF754229B463388DAC.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7898FB9079A562A7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2796363948290237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:i9OduFth8FXz/T5b1Qdfqqmsd1SjndddwEqdcrIbQCSsndddwWeUJmQq:iYdBBTV+fqqmM1fZc8N1eJQq
                                                                                                                                                                                                                                        MD5:BE991614D8526E6AA77D4EDF83FC6C71
                                                                                                                                                                                                                                        SHA1:C6A24DC5339BB786859DFB2C9C852B74353C6516
                                                                                                                                                                                                                                        SHA-256:A7E00EAD0CDA9C928A7EB142A93C04F8D2ABB4162DEA7FF5049DCC3CCAB08B71
                                                                                                                                                                                                                                        SHA-512:D43B92095DCD0A136FB06964882D4E75508E1FF177B939325EC37F3EB47CD3CB7A89025862FEF37A5667D9DE6C12C7F39C30A6C8CD3267B3ED9BB679526C3675
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7C34FE0853000228.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5654176750757811
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:38PhluRc06WXJijT5d14cs/+GfqISoedGPdGfo8r5StedGPdGRub1n:2hl1ZjTT7sWGSIcox
                                                                                                                                                                                                                                        MD5:A4946E73B58C7B405F898B6C03B4464E
                                                                                                                                                                                                                                        SHA1:83C00A2C2F323F773C69E018A4E8CB7A5501531E
                                                                                                                                                                                                                                        SHA-256:40F2183124B92D3E3A80A94734A515B87E0F19404F236B34A420586AE70AF749
                                                                                                                                                                                                                                        SHA-512:DC79FB9118CA595AF1D669A869ED338CD1F0AF18CEEE5EB59C7D3EDFB6DE8458EB8A4178EB60AB66848B60A12BA29194E265EC00FC7B6F7824F0D61F6F01184C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7C34FE0853000228.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8180F83043847A55.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF84101716280139AF.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF87ED86DF51860563.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8A4C2E9B3729CA79.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2533174919132266
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TgduksJveFXJVT5d14cs/+GfqISoedGPdGfo8r5StedGPdGRub1n:MdxtTT7sWGSIcox
                                                                                                                                                                                                                                        MD5:E151397D1B41573AEEB86B5E8F3853CA
                                                                                                                                                                                                                                        SHA1:56E057250275DBD35E02C869E346317FA307240A
                                                                                                                                                                                                                                        SHA-256:8A65A44FDF51C16886662BEB76C51EDF5EE73148AB55AC4C521B517A4851CB13
                                                                                                                                                                                                                                        SHA-512:A2DC3122F6DC541C1A42DD03FE694E00700F22DA3DA107FA044E5AF1FC7B40C808F11CEC9C0AF1EB566F751287101C61177490BE81EDD22F603CB877364A9FE2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8A4C2E9B3729CA79.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8A4C2E9B3729CA79.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8A4C2E9B3729CA79.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9499529FD83F34D5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2554141193887276
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:fT69u5th8FXz/T5LfdYm81EGiSjnd/EqdGUDjrbQ6Ssnd/E8J:f29RBTHn81EFI3DHNP
                                                                                                                                                                                                                                        MD5:C9A6073C946F174F78B6166BE31A7A72
                                                                                                                                                                                                                                        SHA1:DDB4F9E13A724FAA1DF77CDA787337D4F2BFC797
                                                                                                                                                                                                                                        SHA-256:2075282CF9A339474D57BB5A41F57493F3C4C725955017D75C080D6FB8B1D9F7
                                                                                                                                                                                                                                        SHA-512:2D26E3A797B4183BD8D602454DB7756B20B067BD82BED2C8BA6E231526F676B3F60F5F75A8BFD2CBF66B54DB2BEC2FA2CACDF76B16A5DDCADF7A1D16515BA016
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9499529FD83F34D5.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF96D31832908BBE79.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF987C34B749D0D2F8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6077637467676742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:08PhuuRc06WXzAFT5Gd/8BzSjndd4d/EqdcrIbQySsndd4dNWeUJm:Lhu11FTQ/8Bz9Zc8NXeJ
                                                                                                                                                                                                                                        MD5:1FA714E38E6DC324A3AC9506AFB118B9
                                                                                                                                                                                                                                        SHA1:165A92EB00D70B2B23D0422847DA0ACEE2345AD9
                                                                                                                                                                                                                                        SHA-256:62EF59088A0386526C66246FE8D9F8D141A43DD1B9BB01221F1AF6D8188C4843
                                                                                                                                                                                                                                        SHA-512:68B0B70633C5B60B018324218DF1917DB428686763B232232E4D0554C78D186A6738987981EE37B1AF62BDE2FD7387DC2B96787C2D41AB2D82AF44C4D98F5555
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF98D705EE91C8742B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF996F65DABC71DB09.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6008692791240802
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:u8PhTuRc06WXz+FT5sdfqqmBSjndddwEqdGUDjrbQiSsndddSE8Qq:hhT1jFTefqqmBf3DHNaQq
                                                                                                                                                                                                                                        MD5:D6494435C7A3D0F829855F4D1FB4D80C
                                                                                                                                                                                                                                        SHA1:30455E8AE603DBB0DB881215AEFD16C509A32643
                                                                                                                                                                                                                                        SHA-256:65A1D2CE6FF64AEE2E309CCEB4BD877E6D152E2347FD40AECF7838150ED9492A
                                                                                                                                                                                                                                        SHA-512:E2430A94127B92813AF193EFA8BA0D347EF974D9218DA45A6F501E0354B8CA66E789E48ED904712CE56C011D519C3EC9F0BABD9723A4FACCDB6A6FACB6865A7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF996F65DABC71DB09.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9F3F9946C243BD71.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9F9B86F86A821804.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA2C5F5D379769A58.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2778089812392408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FOLuXth8FXz/T5bydfqqmBSjndddwEqdGUDjrbQiSsndddSE8Qq:wLXBTVufqqmBf3DHNaQq
                                                                                                                                                                                                                                        MD5:D528564E6B231B1FFBE6099E3BAA245C
                                                                                                                                                                                                                                        SHA1:3429CF4B729D9B4BDC9FC782923AFABDE006D1E5
                                                                                                                                                                                                                                        SHA-256:0B058DA4A88180C702BB00261691D67408F057D4C285DC70A1F206E4BEA53A4A
                                                                                                                                                                                                                                        SHA-512:9ECF0D505CFB8FFF733C5C88F6F6FCFFF76148206C97150C15304FB1AB15EA595A504C021C00152ED28FE788C071D36E1C73FA46E4479235FD1CC2D2BFBD3771
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA2C5F5D379769A58.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA33DC725B6A6D433.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14328880631953916
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:CnVubmStedGPdGeqISoedGPdGfo8r3wi4cs/L:icyLIWwwsj
                                                                                                                                                                                                                                        MD5:1E2222B872062FA80184953463518BCB
                                                                                                                                                                                                                                        SHA1:CDD55687FD2FF30BF2D0804237962A8913650455
                                                                                                                                                                                                                                        SHA-256:9E2DEEA0C960DBFF3E6D555EA637E82ED5085DF6A45C9DB34C589C0DDD211DE1
                                                                                                                                                                                                                                        SHA-512:5C8E748D77EC01FEF26F53C63BCE1CE01C07D4ED17455396861946D5C4071362BBC110CCC386D419115A1B3BA327EA67FE4B3DA1AC9524816CD8EC59D51EA3EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA33DC725B6A6D433.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFAABA2505C1109877.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6077637467676742
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:08PhuuRc06WXzAFT5Gd/8BzSjndd4d/EqdcrIbQySsndd4dNWeUJm:Lhu11FTQ/8Bz9Zc8NXeJ
                                                                                                                                                                                                                                        MD5:1FA714E38E6DC324A3AC9506AFB118B9
                                                                                                                                                                                                                                        SHA1:165A92EB00D70B2B23D0422847DA0ACEE2345AD9
                                                                                                                                                                                                                                        SHA-256:62EF59088A0386526C66246FE8D9F8D141A43DD1B9BB01221F1AF6D8188C4843
                                                                                                                                                                                                                                        SHA-512:68B0B70633C5B60B018324218DF1917DB428686763B232232E4D0554C78D186A6738987981EE37B1AF62BDE2FD7387DC2B96787C2D41AB2D82AF44C4D98F5555
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFACC12595A6ADFEB2.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.25741146952904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:v6ruHth8FXz/T5ldYm818Sjnd/EqdcrIbQaSsndVWeUJmJ:yrLBTxn818IZc8NueJ
                                                                                                                                                                                                                                        MD5:9589AD573982BE87C0EE53143776B2A1
                                                                                                                                                                                                                                        SHA1:D4E07E86019290A59AF6314052615B600E55B30F
                                                                                                                                                                                                                                        SHA-256:CF4DE5FC1793A84ABAAD9DAA1D671D87151C641A235A9141B5A39FA7B3F7A9E9
                                                                                                                                                                                                                                        SHA-512:0EC20C964BC5BA3B78B32A642FAFE67A9EF87AA41876CFD0F99A1A7C1FDABA58F88AEF0BCB621C34AC60B569281B024BEB06A6C0D0C74C0B81449AFC20C88997
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB02D094922653A65.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.25741146952904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:v6ruHth8FXz/T5ldYm818Sjnd/EqdcrIbQaSsndVWeUJmJ:yrLBTxn818IZc8NueJ
                                                                                                                                                                                                                                        MD5:9589AD573982BE87C0EE53143776B2A1
                                                                                                                                                                                                                                        SHA1:D4E07E86019290A59AF6314052615B600E55B30F
                                                                                                                                                                                                                                        SHA-256:CF4DE5FC1793A84ABAAD9DAA1D671D87151C641A235A9141B5A39FA7B3F7A9E9
                                                                                                                                                                                                                                        SHA-512:0EC20C964BC5BA3B78B32A642FAFE67A9EF87AA41876CFD0F99A1A7C1FDABA58F88AEF0BCB621C34AC60B569281B024BEB06A6C0D0C74C0B81449AFC20C88997
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB14A4F3E2932039C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB1A5F4C5684DFE9B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB238BED208A7BD31.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5732159578780793
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:R8PhzuRc06WXz+FT51dYm818Sjnd/EqdcrIbQaSsndVWeUJmJ:shz1jFTJn818IZc8NueJ
                                                                                                                                                                                                                                        MD5:499E294561F4F090FC8514244BDE1249
                                                                                                                                                                                                                                        SHA1:F728120BE8AD5C4EEA12CD3589BDB122FC79B0E7
                                                                                                                                                                                                                                        SHA-256:75321E4A05BC26683C298CDDF9DCECF2CC2CA933881CC1C51F4E784A63FE90ED
                                                                                                                                                                                                                                        SHA-512:B16E10C8569C8BF5E352B3061AA36FC2C87F945B023DA8B0C39EB6BD5BB16D456D49C4911A00F4299C024E27F06055307F6FCE24BB486D4ED64A168FE3034176
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB35298A01031E4F1.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.15728641107125269
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:6qoWEuSsndddPSjndddwEqdGUDjrbQXNdfqq:6qoW9f3DHeffqq
                                                                                                                                                                                                                                        MD5:A1F2AF007EC91E8F4A7A605037EEEB29
                                                                                                                                                                                                                                        SHA1:27C7AFA4CB2CD8F2D6B4A355381327CFE76CF599
                                                                                                                                                                                                                                        SHA-256:5553BBD91A2C79A95157779CDEED96FD7324A884A886B3F1DC31E27B3B9024F8
                                                                                                                                                                                                                                        SHA-512:A17F43F8125DFCBEA5BACD4BE6C1AC9182F242F3ACE4307A2621D1DF9CC8CC75B0AAF55068A1A46C02CC5D436EE2521893ED3C519486CF944C9789D9FF727D15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB35298A01031E4F1.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB393DFCC6F72C642.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2554141193887276
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:fT69u5th8FXz/T5LfdYm81EGiSjnd/EqdGUDjrbQ6Ssnd/E8J:f29RBTHn81EFI3DHNP
                                                                                                                                                                                                                                        MD5:C9A6073C946F174F78B6166BE31A7A72
                                                                                                                                                                                                                                        SHA1:DDB4F9E13A724FAA1DF77CDA787337D4F2BFC797
                                                                                                                                                                                                                                        SHA-256:2075282CF9A339474D57BB5A41F57493F3C4C725955017D75C080D6FB8B1D9F7
                                                                                                                                                                                                                                        SHA-512:2D26E3A797B4183BD8D602454DB7756B20B067BD82BED2C8BA6E231526F676B3F60F5F75A8BFD2CBF66B54DB2BEC2FA2CACDF76B16A5DDCADF7A1D16515BA016
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB393DFCC6F72C642.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB724431979D487E8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.15782572191969732
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:6qoMWeUJ4SsndddPSjndddwEqdcrIbQSdQIdfqqO:6qoDe99fZc85Qgfqq
                                                                                                                                                                                                                                        MD5:51561650FB9789A1193AE927D1F48EA6
                                                                                                                                                                                                                                        SHA1:CAD489C48565200B891E1B11716D99DC2398BE1A
                                                                                                                                                                                                                                        SHA-256:EFF8FA288281A6E047426666FB74B45EC77739793FEFABC6724074F7C8071D17
                                                                                                                                                                                                                                        SHA-512:F7CC056213CCCE85CEF068FE6F7C2C63C15041517A1FB0CB2A8EFC8D131DBDF32C4D46D45549B408EE727249C7EDDDFC9C790A13A6003D125FDDA43E5B269379
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB9711AFA2190AFA6.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.15892863448024125
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:oAWeUJ4Ssndd4dASjndd4d/EqdcrIbQhxd/8:o3e9/9Zc8Ib/8
                                                                                                                                                                                                                                        MD5:DA2482243250A87C3218F43191E440C9
                                                                                                                                                                                                                                        SHA1:DA371404FD01FE218C0FD520F0DB325CD11B18D3
                                                                                                                                                                                                                                        SHA-256:5227A8A30C85BACC1A665C4510F4F59C123716D561E6FD26D78B076CC0AF1296
                                                                                                                                                                                                                                        SHA-512:F0718AE2B585C38A8A851DB9510D17A9B44286ADDBB7290D883DD651DC900CBC2D148F883918E22B6EE0141F6A2711FB4B3AE956E6C5F6CA670DC8DBEBBBD35F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBAF33F41145EC7D5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5732159578780793
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:R8PhzuRc06WXz+FT51dYm818Sjnd/EqdcrIbQaSsndVWeUJmJ:shz1jFTJn818IZc8NueJ
                                                                                                                                                                                                                                        MD5:499E294561F4F090FC8514244BDE1249
                                                                                                                                                                                                                                        SHA1:F728120BE8AD5C4EEA12CD3589BDB122FC79B0E7
                                                                                                                                                                                                                                        SHA-256:75321E4A05BC26683C298CDDF9DCECF2CC2CA933881CC1C51F4E784A63FE90ED
                                                                                                                                                                                                                                        SHA-512:B16E10C8569C8BF5E352B3061AA36FC2C87F945B023DA8B0C39EB6BD5BB16D456D49C4911A00F4299C024E27F06055307F6FCE24BB486D4ED64A168FE3034176
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBE3B8FD725155D54.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2533174919132266
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TgduksJveFXJVT5d14cs/+GfqISoedGPdGfo8r5StedGPdGRub1n:MdxtTT7sWGSIcox
                                                                                                                                                                                                                                        MD5:E151397D1B41573AEEB86B5E8F3853CA
                                                                                                                                                                                                                                        SHA1:56E057250275DBD35E02C869E346317FA307240A
                                                                                                                                                                                                                                        SHA-256:8A65A44FDF51C16886662BEB76C51EDF5EE73148AB55AC4C521B517A4851CB13
                                                                                                                                                                                                                                        SHA-512:A2DC3122F6DC541C1A42DD03FE694E00700F22DA3DA107FA044E5AF1FC7B40C808F11CEC9C0AF1EB566F751287101C61177490BE81EDD22F603CB877364A9FE2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFBE3B8FD725155D54.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBFC5B1060B48261F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC1A5D7F2AB509A6A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC30C51A7ABE3BDBD.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6047714907141517
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:98Ph4uRc06WXzAFT5vd/8BdSjndd4d/EqdGUDjrbQSSsndd4dXE8:gh411FT7/8Bd93DHNg
                                                                                                                                                                                                                                        MD5:D76F903BC682A7EBD580BAD0D67E7AD5
                                                                                                                                                                                                                                        SHA1:085B97AEF044202739804EED1788CFD43254BC6C
                                                                                                                                                                                                                                        SHA-256:D0D2A95FEBF9F56FA19BFE3E5A0A90D270F2129E44AE21481C67714D00989BBF
                                                                                                                                                                                                                                        SHA-512:F795774A02E062A799BC0BE68E589C40380E5B6836F086B1CE24A1A4D061575C43635DE887467D4BA5B2B58A8BD882CDC1BF2BB771B6095664123DCD40E52220
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC30C51A7ABE3BDBD.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC379EDB94CDC4657.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2802178080864537
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:2hwu3th8FXzFT5Qd/8BdSjndd4d/EqdGUDjrbQSSsndd4dXE8:+w3rTS/8Bd93DHNg
                                                                                                                                                                                                                                        MD5:20A77996360BFB8B3870FEDAA036475B
                                                                                                                                                                                                                                        SHA1:DC824EE1AEA2E439D72B11681880C19F126AD4D3
                                                                                                                                                                                                                                        SHA-256:6E0B79EA9BEF65545EAD6C205EACD07E06E8350E3B869D0AB7DCA69508D1751D
                                                                                                                                                                                                                                        SHA-512:9E2C86DCC9B44AFD75EC8AF12A9262A8ECE75C8367C773EF09680CF3BD21E159B7EB4B827900788C0841B4ED7041BD84F44307ADC6E084F42A89C9203E98AF2A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC379EDB94CDC4657.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC685BE6DABE82B53.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2210309836327626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:x8PhcuRc06WXJEjT5OIDFGmqISoedGPdGTfaStedGPdGTn:Mhc1HjTZDFkIHD
                                                                                                                                                                                                                                        MD5:036247CAA4974AA6140E608C38DD34F4
                                                                                                                                                                                                                                        SHA1:06958CC942D1442072B045F57E9F2BBACA82402E
                                                                                                                                                                                                                                        SHA-256:8BF38AD5F8DEA32DFFB3526865FB78981FE0F8F36639D5E509031B2A2AE3A8F6
                                                                                                                                                                                                                                        SHA-512:05BF39A6CBCC7CCA472C569F0DE43833405A07D155BE9A94E358EFD44D9CDD60D38E288B58DFB6C08F5A125CE697AC96846106F015A11EAAA6BAB63A0D60DC16
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC685BE6DABE82B53.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC861742B7539CE67.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC8BEA5F80B2C2FA1.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2778089812392408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FOLuXth8FXz/T5bydfqqmBSjndddwEqdGUDjrbQiSsndddSE8Qq:wLXBTVufqqmBf3DHNaQq
                                                                                                                                                                                                                                        MD5:D528564E6B231B1FFBE6099E3BAA245C
                                                                                                                                                                                                                                        SHA1:3429CF4B729D9B4BDC9FC782923AFABDE006D1E5
                                                                                                                                                                                                                                        SHA-256:0B058DA4A88180C702BB00261691D67408F057D4C285DC70A1F206E4BEA53A4A
                                                                                                                                                                                                                                        SHA-512:9ECF0D505CFB8FFF733C5C88F6F6FCFFF76148206C97150C15304FB1AB15EA595A504C021C00152ED28FE788C071D36E1C73FA46E4479235FD1CC2D2BFBD3771
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC8BEA5F80B2C2FA1.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC8BEA5F80B2C2FA1.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFCE5E8DEC96E09926.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFCFC99B1B1B88CC51.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.23019757709124
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:UVUuKPveFXJfT5CIDFGmqISoedGPdGTfaStedGPdGTn:IUGHTdDFkIHD
                                                                                                                                                                                                                                        MD5:F9F503838E80E0F685321259D301B072
                                                                                                                                                                                                                                        SHA1:98F51D5E167E4DF08FC93FEB32C700D7C6E21C93
                                                                                                                                                                                                                                        SHA-256:C4D3C0BD35DAACD8236FC85A853C07B709C220720A6879B18AECD310ECB919C9
                                                                                                                                                                                                                                        SHA-512:C7F3394A910155690EA4380238716494786ABEA463A56E96C91FE9E49BCEA85F4FB39BFB0CD71804B7EA778A3C80CD12177C29394044C71F1085D1E6FEFF4D61
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCFC99B1B1B88CC51.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD2D3E72787CCF9CE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.1301899166465
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJG2WTZkPQ8+olv+na:CnAStedGPdGeqISoedGPdGTfsJFvL
                                                                                                                                                                                                                                        MD5:730245AAC32200998D46D8EDF3005BC4
                                                                                                                                                                                                                                        SHA1:37166045E48F0D4D5FBB482E2E6F88D872FCD681
                                                                                                                                                                                                                                        SHA-256:885EB3FF2502D543E68DE3E0211F9B60C2BE12A7A918A9781FE61A795161048A
                                                                                                                                                                                                                                        SHA-512:5CE55C5D92E81B0D77653FEAC2C4F583254E6B316F8E40C6C3E19B25EA8D5B6381007A056719B125C09F2B15991A4A6B9D7FECA1C3B7EE62BA4522656D0EAC4A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD2D3E72787CCF9CE.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD6CD53E6643D16C5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2802178080864537
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:2hwu3th8FXzFT5Qd/8BdSjndd4d/EqdGUDjrbQSSsndd4dXE8:+w3rTS/8Bd93DHNg
                                                                                                                                                                                                                                        MD5:20A77996360BFB8B3870FEDAA036475B
                                                                                                                                                                                                                                        SHA1:DC824EE1AEA2E439D72B11681880C19F126AD4D3
                                                                                                                                                                                                                                        SHA-256:6E0B79EA9BEF65545EAD6C205EACD07E06E8350E3B869D0AB7DCA69508D1751D
                                                                                                                                                                                                                                        SHA-512:9E2C86DCC9B44AFD75EC8AF12A9262A8ECE75C8367C773EF09680CF3BD21E159B7EB4B827900788C0841B4ED7041BD84F44307ADC6E084F42A89C9203E98AF2A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD6CD53E6643D16C5.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD6D4C4C3DBF9F85F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6198126321340909
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:Q8PhPuRc06WXJEjT5+IDdYzqISoedvPdvbCnuhnq9JndydStedvPdvxubS:/hP1HjTpDd5IciuBuJy4
                                                                                                                                                                                                                                        MD5:75DC780B0105B05B3A7DBC1BD175F899
                                                                                                                                                                                                                                        SHA1:D623407B569F616486F4331870B506EA45ED8FDA
                                                                                                                                                                                                                                        SHA-256:C74C13ABC75BCEF6740971C82E5159797E25F8B235CE244C19D7E562D8FC4E8D
                                                                                                                                                                                                                                        SHA-512:01611B45211FAD1D0A03A48E734D538143EDFFB64A6FD1BBD6AAA11CB6A46A3DBA365B31E6F494F8D58B1C3C8147CFAB9C6D7B98E02C774B94CAE3365C9EE9DA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD6D4C4C3DBF9F85F.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD7391765975761EE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD8C112F004977F2D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD8E52EAD8D5C4C0B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDAC723C2548B2049.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.603995457286122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:iz8PhluRc06WXz+FT57Qdfqqmsd1SjndddwEqdcrIbQCSsndddwWeUJmQq:iahl1jFTufqqmM1fZc8N1eJQq
                                                                                                                                                                                                                                        MD5:AFDD7B15C84462C0F629FDBC8CD3086F
                                                                                                                                                                                                                                        SHA1:F272593189061CA0F649E159326E8AE6CCE733C7
                                                                                                                                                                                                                                        SHA-256:8C097D768D6783CCAF7CC384B6E2651F10E21F4C4E4E6A47167AB08B900C8CEC
                                                                                                                                                                                                                                        SHA-512:65E7F746DB66121FA077F636173A297CCF105E969030A9D662A080BF31727689B074177D6EFCA2E2D446A1513698FB6C48900BECBCDAAFD209AFC5B642241ABA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDB50786941F19465.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDC01BFBC08A00211.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.570021166044967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:iz8PhFuRc06WXz+FT5bfdYm81EGiSjnd/EqdGUDjrbQ6Ssnd/E8J:iahF1jFTPn81EFI3DHNP
                                                                                                                                                                                                                                        MD5:28D97CCA6BB84E0BEAE3F6F5E15DE49D
                                                                                                                                                                                                                                        SHA1:42BCB5AB606E47BB127497115ADB89DA86F57BD0
                                                                                                                                                                                                                                        SHA-256:4B48B66BDAFA78B7650A174CDA1E936DBF0E779A37D9AF7631CAB78CC1C099D5
                                                                                                                                                                                                                                        SHA-512:4C2E7085AEEDF318D7DB450C5A9136EB6CA76826411536A40DEB002E6B28CF387FC7A2C4F6DDBE303074E52AA682797A8153A5C1C4107B8A5FDB9022B81E0A9A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDC01BFBC08A00211.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDEEBD434A6F8A069.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDFE1E54B4C58F24A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE10225C8A87DB3B6.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.5654176750757811
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:38PhluRc06WXJijT5d14cs/+GfqISoedGPdGfo8r5StedGPdGRub1n:2hl1ZjTT7sWGSIcox
                                                                                                                                                                                                                                        MD5:A4946E73B58C7B405F898B6C03B4464E
                                                                                                                                                                                                                                        SHA1:83C00A2C2F323F773C69E018A4E8CB7A5501531E
                                                                                                                                                                                                                                        SHA-256:40F2183124B92D3E3A80A94734A515B87E0F19404F236B34A420586AE70AF749
                                                                                                                                                                                                                                        SHA-512:DC79FB9118CA595AF1D669A869ED338CD1F0AF18CEEE5EB59C7D3EDFB6DE8458EB8A4178EB60AB66848B60A12BA29194E265EC00FC7B6F7824F0D61F6F01184C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE10225C8A87DB3B6.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE54A1C54B6499995.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.603995457286122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:iz8PhluRc06WXz+FT57Qdfqqmsd1SjndddwEqdcrIbQCSsndddwWeUJmQq:iahl1jFTufqqmM1fZc8N1eJQq
                                                                                                                                                                                                                                        MD5:AFDD7B15C84462C0F629FDBC8CD3086F
                                                                                                                                                                                                                                        SHA1:F272593189061CA0F649E159326E8AE6CCE733C7
                                                                                                                                                                                                                                        SHA-256:8C097D768D6783CCAF7CC384B6E2651F10E21F4C4E4E6A47167AB08B900C8CEC
                                                                                                                                                                                                                                        SHA-512:65E7F746DB66121FA077F636173A297CCF105E969030A9D662A080BF31727689B074177D6EFCA2E2D446A1513698FB6C48900BECBCDAAFD209AFC5B642241ABA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE66359C4EDB298FB.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2821556586620275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:uhmulth8FXzFT55d/8BzSjndd4d/EqdcrIbQySsndd4dNWeUJm:2mhrT9/8Bz9Zc8NXeJ
                                                                                                                                                                                                                                        MD5:E782886273D0E96254761DA27FCA7DC6
                                                                                                                                                                                                                                        SHA1:658CFCE5382D0120E66EDD6F46C00D0D03ABF6B4
                                                                                                                                                                                                                                        SHA-256:7905097BDBAE2BAB391C5F5C2F78580182E686EFE3F8BE4AAA532AFFC34B603A
                                                                                                                                                                                                                                        SHA-512:81FE03CDE015DB427EBCE0E71E6BB19FFA6831D987C7EF6866374C888B7C2A1804BD538D41851F9F33ED1DECFC396DD7B3B12597C8B4DFD1A2F692A09A5EBC42
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEAA3541080D785AB.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFECB08EC1F778426B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2533174919132266
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TgduksJveFXJVT5d14cs/+GfqISoedGPdGfo8r5StedGPdGRub1n:MdxtTT7sWGSIcox
                                                                                                                                                                                                                                        MD5:E151397D1B41573AEEB86B5E8F3853CA
                                                                                                                                                                                                                                        SHA1:56E057250275DBD35E02C869E346317FA307240A
                                                                                                                                                                                                                                        SHA-256:8A65A44FDF51C16886662BEB76C51EDF5EE73148AB55AC4C521B517A4851CB13
                                                                                                                                                                                                                                        SHA-512:A2DC3122F6DC541C1A42DD03FE694E00700F22DA3DA107FA044E5AF1FC7B40C808F11CEC9C0AF1EB566F751287101C61177490BE81EDD22F603CB877364A9FE2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFECB08EC1F778426B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFECB08EC1F778426B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEFF6C9F85501EDE8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2821556586620275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:uhmulth8FXzFT55d/8BzSjndd4d/EqdcrIbQySsndd4dNWeUJm:2mhrT9/8Bz9Zc8NXeJ
                                                                                                                                                                                                                                        MD5:E782886273D0E96254761DA27FCA7DC6
                                                                                                                                                                                                                                        SHA1:658CFCE5382D0120E66EDD6F46C00D0D03ABF6B4
                                                                                                                                                                                                                                        SHA-256:7905097BDBAE2BAB391C5F5C2F78580182E686EFE3F8BE4AAA532AFFC34B603A
                                                                                                                                                                                                                                        SHA-512:81FE03CDE015DB427EBCE0E71E6BB19FFA6831D987C7EF6866374C888B7C2A1804BD538D41851F9F33ED1DECFC396DD7B3B12597C8B4DFD1A2F692A09A5EBC42
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF2A4F539B17416F0.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF2A9E24987C1ED43.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2554141193887276
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:fT69u5th8FXz/T5LfdYm81EGiSjnd/EqdGUDjrbQ6Ssnd/E8J:f29RBTHn81EFI3DHNP
                                                                                                                                                                                                                                        MD5:C9A6073C946F174F78B6166BE31A7A72
                                                                                                                                                                                                                                        SHA1:DDB4F9E13A724FAA1DF77CDA787337D4F2BFC797
                                                                                                                                                                                                                                        SHA-256:2075282CF9A339474D57BB5A41F57493F3C4C725955017D75C080D6FB8B1D9F7
                                                                                                                                                                                                                                        SHA-512:2D26E3A797B4183BD8D602454DB7756B20B067BD82BED2C8BA6E231526F676B3F60F5F75A8BFD2CBF66B54DB2BEC2FA2CACDF76B16A5DDCADF7A1D16515BA016
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF2A9E24987C1ED43.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF37C04DE1E84C819.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF4440CF82CD23A1E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF55B970122957AC5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF89439FA5CBE25F7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFAF4E2FC1D39EF83.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07983391774199625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO4yEOjg7SVky6l/X:2F0i8n0itFzDHF2Vt/X
                                                                                                                                                                                                                                        MD5:8EFFECF0F29DB122BC857B544D850D65
                                                                                                                                                                                                                                        SHA1:DE6A8B49C932AA051169EE79D7070F520E4E70BE
                                                                                                                                                                                                                                        SHA-256:57A76199CC984828B15FFAE86BB219DF22ECB3087CAC3BC4ED5FD8F1FC7E81AA
                                                                                                                                                                                                                                        SHA-512:05C0A6D612BABE246412C4FD2A70CCFC9375AE11736461A693561E5E8436B11B13E5D7B20E41E1A8F0E1BAC7576C8A9B2CD925D46FF8672AFA6492ACF6C1C1CD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFD139A39CCAAA83B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.07773748638646297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOE+sc/P0QhPbgVky6lW:2F0i8n0itFzDHFN1P0onW
                                                                                                                                                                                                                                        MD5:8E2DBA915D62F314B0A9F31196AE704A
                                                                                                                                                                                                                                        SHA1:CAFB0FBD3F4499C9D3D71516FF751E0373B5F16E
                                                                                                                                                                                                                                        SHA-256:26163C245CE1141831EFD7209B484DB34F9801E8398FBE0578E6AEB5AE0A1142
                                                                                                                                                                                                                                        SHA-512:18DD016DF80BFBA10D41070ECC2E0839A7D3AF5A75544F7CC0E6F906F45AB0B226E00E5ADAC644BAC2223B7D579636F045B882B41986BF0FC07E874902379D35
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFEBA617B4563588C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6198126321340909
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:Q8PhPuRc06WXJEjT5+IDdYzqISoedvPdvbCnuhnq9JndydStedvPdvxubS:/hP1HjTpDd5IciuBuJy4
                                                                                                                                                                                                                                        MD5:75DC780B0105B05B3A7DBC1BD175F899
                                                                                                                                                                                                                                        SHA1:D623407B569F616486F4331870B506EA45ED8FDA
                                                                                                                                                                                                                                        SHA-256:C74C13ABC75BCEF6740971C82E5159797E25F8B235CE244C19D7E562D8FC4E8D
                                                                                                                                                                                                                                        SHA-512:01611B45211FAD1D0A03A48E734D538143EDFFB64A6FD1BBD6AAA11CB6A46A3DBA365B31E6F494F8D58B1C3C8147CFAB9C6D7B98E02C774B94CAE3365C9EE9DA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFEBA617B4563588C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFF1080E56A09E1D8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):416
                                                                                                                                                                                                                                        Entropy (8bit):5.333293088532865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:1oTXHX7COtzZiTXgCgEkA4y9tUXTXEotXjUXTXHX7Hw:WH+gi9gFG9Q7XyHbw
                                                                                                                                                                                                                                        MD5:47CD21AE8CB89F8E9510EFBDCDA7A7A1
                                                                                                                                                                                                                                        SHA1:03436944B32803040D1CC19C7A97E3BDC90E059A
                                                                                                                                                                                                                                        SHA-256:52EBA8595319D1A5387C826A9D2319304A57C787B5819990507A29AA6F4AE0A7
                                                                                                                                                                                                                                        SHA-512:03ADC09EF9488E9056A967DB6AE0CD6B96178EFC13BF102B42AED5FE4BC09365FF35A9A6AC667761EEA00A267F574DE35BA411A8943BF83D149B6AAFF162E4D9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-08-05 16:19:19.5423|INFO|WindowsInstallerFactory|AdAgentPackage Execute Start..2024-08-05 16:19:19.6048|INFO|WindowsInstallerFactory|Parameters: AdCommandType: Maintenance InstallationFileUrl: https://get.anydesk.com/8CQsu9kv/AnyDesk_Custom_Client.msi..2024-08-05 16:19:19.6204|INFO|WindowsInstallerFactory|AnyDesk Status: None..2024-08-05 16:19:19.6204|INFO|WindowsInstallerFactory|AdAgentPackage Execute End..

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Entropy (8bit):7.878658685893347
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                        • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                        File name:setup_it_security (1).msi
                                                                                                                                                                                                                                        File size:2'994'176 bytes
                                                                                                                                                                                                                                        MD5:4c2ccd8e957c65e8c7ef53c5147066c3
                                                                                                                                                                                                                                        SHA1:6cd11864dfe9f061c2a4e599304934d94f8c36e8
                                                                                                                                                                                                                                        SHA256:3809affad6dc10de4613edb2c172f47b641b0393270a129b24683ccd30fb39d7
                                                                                                                                                                                                                                        SHA512:8ef0ac1323c4a3da1e892892b46b71f08901aeb3142250144ce2514058ca593de9d05b88cfe502336dca4910bab2ede7023aa7c09364c60647cf50f3aa9749ff
                                                                                                                                                                                                                                        SSDEEP:49152:1+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:1+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        TLSH:CAD523127584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76F73
                                                                                                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:16:18:00
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup_it_security (1).msi"
                                                                                                                                                                                                                                        Imagebase:0x7ff768e50000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                                        Start time:16:18:00
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                        Imagebase:0x7ff768e50000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                        Start time:16:18:00
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 876136AFC6C35375E8E539CFFE1FB058
                                                                                                                                                                                                                                        Imagebase:0x2b0000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                        Start time:16:18:01
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI380B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5781625 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x80000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000003.00000003.1688487310.00000000048AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                        Start time:16:18:02
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI3C81.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5782703 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                        Imagebase:0x80000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1732354769.0000000004551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1732354769.00000000045F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1699758147.000000000417C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                        Start time:16:18:05
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI4B86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5786531 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                        Imagebase:0x80000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1734699805.0000000004DA7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                        Start time:16:18:06
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F3FE6E8483124E64450C53B6CA0F2865 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x2b0000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                        Start time:16:18:06
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0xdd0000
                                                                                                                                                                                                                                        File size:47'104 bytes
                                                                                                                                                                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                        Start time:16:18:06
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                        Start time:16:18:06
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0xa00000
                                                                                                                                                                                                                                        File size:139'776 bytes
                                                                                                                                                                                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                        Start time:16:18:06
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                        Imagebase:0xec0000
                                                                                                                                                                                                                                        File size:74'240 bytes
                                                                                                                                                                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                        Start time:16:18:06
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                        Start time:16:18:07
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="it@netnut.io" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000CDtpOIAT" /AgentId="219cfac1-8d31-4145-a06a-203fddd623c4"
                                                                                                                                                                                                                                        Imagebase:0x24aaf9a0000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787970855.0000024AB17B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787151853.0000024AAFA96000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1789259088.0000024ACA080000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787970855.0000024AB1732000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1788756716.0000024AC9D40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787970855.0000024AB170C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1788756716.0000024AC9E1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787151853.0000024AAFA50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787970855.0000024AB17FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787970855.0000024AB1681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787151853.0000024AAFB19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787151853.0000024AAFA90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787151853.0000024AAFADE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000000.1751873947.0000024AAF9A2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787970855.0000024AB1709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1789943776.00007FFD9B484000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787970855.0000024AB1734000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787151853.0000024AAFAB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1789279032.0000024ACA1BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787686429.0000024AAFC30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787970855.0000024AB17AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1787151853.0000024AAFA56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 16%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                        Start time:16:18:10
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x183a3a40000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2215301309.00000183A3C3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2232940589.00000183BCAF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A46E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A45D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A4321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A4433000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A46F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A47CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216455295.00000183A3D20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2232940589.00000183BCBC9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A458F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2244086338.00000183BD525000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A45A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A4377000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A476A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2215301309.00000183A3BE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2240249555.00000183BD0B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A4B47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A47CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A44C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2232940589.00000183BCB41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A45E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A498D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2215301309.00000183A3BE7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2215301309.00000183A3CA1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A4621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A46E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2240249555.00000183BD007000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A4A4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2240249555.00000183BCFC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A4A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2215269233.00000183A3AF0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2214008079.00000056B1EF5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2215301309.00000183A3BFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2240249555.00000183BCFE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2215301309.00000183A3C1F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2240249555.00000183BD0A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A4632000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2216953221.00000183A43A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                        Start time:16:18:11
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff79f1a0000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                                        Start time:16:18:11
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                        Start time:16:18:11
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI6210.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5792296 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                        Imagebase:0x80000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000003.1792676963.0000000004232000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1836122126.0000000004591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1836122126.0000000004634000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                                        Start time:16:18:20
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "80051a9b-3773-4781-a860-0a1fa9902094" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x1f414440000
                                                                                                                                                                                                                                        File size:176'176 bytes
                                                                                                                                                                                                                                        MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1907793752.000001F414FD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1907793752.000001F414F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1907047932.000001F414D62000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1907793752.000001F414FC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1903291791.000001F414570000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1903291791.000001F414530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1907793752.000001F41500F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1906253379.000001F4147A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1903291791.000001F414579000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1907793752.000001F414F97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000000.1881670916.000001F414442000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1903291791.000001F4145BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                                                                        Start time:16:18:20
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                                        Start time:16:18:20
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d9931af6-1b9d-44c1-9ed5-93aefcf99ae5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x1d31a900000
                                                                                                                                                                                                                                        File size:176'176 bytes
                                                                                                                                                                                                                                        MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1907251597.000001D31B183000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1903148234.000001D31AB58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1903148234.000001D31AB8F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1907251597.000001D31B193000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1902970915.000001D31AAD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1903148234.000001D31AB6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1903148234.000001D31ABD7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1903148234.000001D31AB50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1907251597.000001D31B111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1908439541.000001D333B30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1903148234.000001D31AB8D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                        Start time:16:18:20
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff70f330000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                        Start time:16:18:23
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "54c44644-c1a6-46f7-9967-66ad9bd7a25c" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x17029be0000
                                                                                                                                                                                                                                        File size:176'176 bytes
                                                                                                                                                                                                                                        MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1921126821.000001702A6A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1920228112.0000017029DE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1920228112.0000017029DE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1921126821.000001702A621000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1920228112.0000017029E69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1921043712.000001702A0D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1921126821.000001702A693000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1920228112.0000017029E1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                        Start time:16:18:23
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                        Start time:16:18:24
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x26720250000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.3112170679.0000026739909000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2581135478.00000267203A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2556225504.000000D5768F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.00000267216DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.000002672143B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.3083045471.000002673954D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2578866826.0000026720300000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.3112170679.0000026739884000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720EA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.000002672104A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720CEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.000002672111C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026721644000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.3083045471.0000026739470000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.3083045471.00000267394D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026721019000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720EA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2604569739.0000026720720000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026721606000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.3112170679.0000026739834000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720F85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026721636000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2581135478.00000267203DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720DFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2581135478.00000267203FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720FC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.00000267210CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.00000267210A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720EC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.3112170679.00000267398C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026721051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.3083045471.0000026739496000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2581135478.0000026720427000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720DC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2624729604.0000026720BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                        Start time:16:18:24
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff79f1a0000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                        Start time:16:18:24
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                        Start time:16:18:25
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "d85c307e-1608-4140-9ac8-c846e708cdc6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x1bc4a4d0000
                                                                                                                                                                                                                                        File size:176'176 bytes
                                                                                                                                                                                                                                        MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                        Start time:16:18:25
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                        Start time:16:18:26
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff628bc0000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2240343644.000001BC69623000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2240446746.000001BC697D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2240343644.000001BC69600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000003.1937607927.000001BC697F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2240343644.000001BC6960B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                        Start time:16:18:26
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                        Start time:16:18:26
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff76e3f0000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.3262387464.0000021008D00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                                        Start time:16:18:29
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8e4f2c67-2211-44b9-9c5e-9e2f7f6d852f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x21cbf210000
                                                                                                                                                                                                                                        File size:396'336 bytes
                                                                                                                                                                                                                                        MD5 hash:B50005A1A62AFA85240D1F65165856EB
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2022694781.0000021CD9426000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2012563069.0000021CBF5C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2012563069.0000021CBF4E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2022580633.0000021CD9415000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2012563069.0000021CBF524000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2022775286.0000021CD9640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2012293867.0000021CBF300000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2013891908.0000021CC0161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2013256721.0000021CBFA62000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2012563069.0000021CBF570000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2013891908.0000021CBFBC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2013155243.0000021CBF780000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2022549775.0000021CD9217000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2036362792.00007FFDF1B19000.00000004.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000000.1972414430.0000021CBF212000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2019485559.0000021CD83E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2012563069.0000021CBF52A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.2013891908.0000021CBFCAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                        Start time:16:18:29
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                        Start time:16:18:56
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser
                                                                                                                                                                                                                                        Imagebase:0x7ff788560000
                                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2275321132.00000204BC3B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2281418929.00000204BCE68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2281418929.00000204BD357000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2281418929.00000204BD454000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2281418929.00000204BDD78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2281418929.00000204BE5BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2281418929.00000204BD576000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2281418929.00000204BDF5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000024.00000002.2281418929.00000204BE274000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                        Start time:16:18:56
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                                        Start time:16:18:57
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "dfef552b-734e-4f27-813c-95ef61915f0e" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x1fb5af10000
                                                                                                                                                                                                                                        File size:52'272 bytes
                                                                                                                                                                                                                                        MD5 hash:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2694458061.000001FB5B12C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2871112293.000001FB74162000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2871112293.000001FB74117000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2871112293.000001FB7410E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000000.2251962582.000001FB5AF12000.00000002.00000001.01000000.00000027.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2739838252.000001FB5B2C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2694458061.000001FB5B1AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2694458061.000001FB5B168000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2694458061.000001FB5B120000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2865497354.000001FB740D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2743952170.000001FB5B8F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2694458061.000001FB5B210000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2684094691.0000003DDE993000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2743952170.000001FB5BA01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2870497763.000001FB74105000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2694458061.000001FB5B162000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2743952170.000001FB5B781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2742301343.000001FB5B3E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                        Start time:16:18:57
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                                        Start time:16:18:59
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "1a1cdc7d-4148-4f2b-a60e-770bbe4296d3" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x1ffa80d0000
                                                                                                                                                                                                                                        File size:71'728 bytes
                                                                                                                                                                                                                                        MD5 hash:A86B9D7A0085275F89BBD0878DBDEE3B
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2852262023.000001FFA8570000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.3033204462.000001FFC12FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.3033204462.000001FFC138F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.3033204462.000001FFC1360000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2856089852.000001FFA8A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000000.2268161629.000001FFA80D2000.00000002.00000001.01000000.00000029.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2826456503.000001FFA8230000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2856089852.000001FFA8C98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2856089852.000001FFA8AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2826456503.000001FFA827D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2856089852.000001FFA8B90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2826456503.000001FFA81F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2856089852.000001FFA8FAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                                                                        Start time:16:18:59
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                                        Start time:16:19:00
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                                                                                                                                                        Imagebase:0x2311f8c0000
                                                                                                                                                                                                                                        File size:52'272 bytes
                                                                                                                                                                                                                                        MD5 hash:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2284989643.000002311F97E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2292782110.00000231202B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2284989643.000002311F940000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2284989643.000002311F9C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2292530172.000002311FCE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2292782110.0000023120231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                                        Start time:16:19:00
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "fd229431-cfd0-4a48-9506-52dcbd66ece5" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x26325290000
                                                                                                                                                                                                                                        File size:33'328 bytes
                                                                                                                                                                                                                                        MD5 hash:B0E08EBA67B6AAB9E4CD11E3CC0D9988
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002B.00000000.2278377637.0000026325292000.00000002.00000001.01000000.0000002A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                                        Start time:16:19:00
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                                        Start time:16:19:00
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:46
                                                                                                                                                                                                                                        Start time:16:19:04
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                                                                                                                                                        Imagebase:0x7ff768e50000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000003.2609665782.0000017409C60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000003.2664696664.000001740A4E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000003.2664460201.0000017409AAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2670195074.000001740A4E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2669412412.0000017409AB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000003.2664074629.000001740A4E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000003.2665003366.0000017409AA9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000003.2664333995.0000017409A9B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2668968202.0000017409AAA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:47
                                                                                                                                                                                                                                        Start time:16:19:04
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 3463CFE313C5F6D68DABEECB95B6FC58 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:48
                                                                                                                                                                                                                                        Start time:16:19:04
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI30EA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5845281 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x80000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000003.2322673285.0000000003F1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                                        Start time:16:19:05
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI33D9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5845984 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                        Imagebase:0x80000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2506767031.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000003.2329938218.0000000004036000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2506767031.0000000004350000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                                        Start time:16:19:07
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "8f7a044c-935b-42c2-8dbd-e9da15a52a0d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x25870460000
                                                                                                                                                                                                                                        File size:55'344 bytes
                                                                                                                                                                                                                                        MD5 hash:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3135358683.00000258708E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800659000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800222000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800219000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800203000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.00000258000A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.00000258001F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3112057678.000002587064E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800648000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3142602040.0000025871562000.00000002.00000001.01000000.00000059.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800062000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800637000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000000.2344551028.0000025870462000.00000002.00000001.01000000.00000035.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3112057678.000002587066D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3145204679.00000258715EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3112057678.0000025870640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800679000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.000002580013D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.00000258001FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.000002580066C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3112057678.00000258706D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.00000258005BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.3112057678.000002587068A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2887151173.0000025800664000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:51
                                                                                                                                                                                                                                        Start time:16:19:07
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                                        Start time:16:19:07
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
                                                                                                                                                                                                                                        Imagebase:0x7ff628bc0000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000003.2350547712.000001D382A40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                                        Start time:16:19:07
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:54
                                                                                                                                                                                                                                        Start time:16:19:07
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
                                                                                                                                                                                                                                        Imagebase:0x7ff788560000
                                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.3209141806.0000019573650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.3238541948.0000019574398000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2394542463.0000019501631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2394542463.0000019501B34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.3221945460.0000019573895000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2394542463.0000019500C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2394542463.0000019500231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:55
                                                                                                                                                                                                                                        Start time:16:19:08
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
                                                                                                                                                                                                                                        Imagebase:0x7ff628bc0000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000003.2360429457.000001D75D154000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2451336595.000001D75D310000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2451208091.000001D75D130000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2451056267.000001D75D105000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2451056267.000001D75D100000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000003.2359103938.000001D75D320000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000003.2359390403.000001D75D147000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2451208091.000001D75D13B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2451336595.000001D75D330000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2451336595.000001D75D300000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000003.2360037771.000001D75D140000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:56
                                                                                                                                                                                                                                        Start time:16:19:08
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:57
                                                                                                                                                                                                                                        Start time:16:19:08
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "276b7b5e-f540-44a1-92da-1957752c8d37" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x1ae120d0000
                                                                                                                                                                                                                                        File size:37'936 bytes
                                                                                                                                                                                                                                        MD5 hash:601E661FD5917647D8932600560E6A27
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2437398737.000001AE12340000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2456662957.000001AE12C50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2453080740.000001AE12982000.00000002.00000001.01000000.00000040.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2432305381.000001AE122B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2434838038.000001AE1232C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2448676124.000001AE128B2000.00000002.00000001.01000000.0000003D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2545948575.000001AE2B18A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2437398737.000001AE12366000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2456662957.000001AE129B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2545948575.000001AE2B1E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2434838038.000001AE12320000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2437398737.000001AE1240F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2456662957.000001AE12BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2456662957.000001AE12B30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2437398737.000001AE12361000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2437398737.000001AE123AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:58
                                                                                                                                                                                                                                        Start time:16:19:08
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:59
                                                                                                                                                                                                                                        Start time:16:19:10
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "f202e152-679e-4c58-b00e-ed39c415edc2" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x21b9f270000
                                                                                                                                                                                                                                        File size:197'680 bytes
                                                                                                                                                                                                                                        MD5 hash:D3DB1B40EB62C5E1ED9A8AF5065C7FCB
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2410571379.0000021B9F442000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2558241228.0000021BB848D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2410571379.0000021B9F48E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2425883155.0000021B9F700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000000.2376608896.0000021B9F272000.00000002.00000001.01000000.00000037.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2427006674.0000021B9FAA2000.00000002.00000001.01000000.0000003A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2433812655.0000021B9FC83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2433812655.0000021BA0139000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2410571379.0000021B9F400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2433812655.0000021B9FC70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2433812655.0000021BA014C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2558241228.0000021BB847A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2410571379.0000021B9F40C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2433812655.0000021B9FCF6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2558241228.0000021BB8420000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2433812655.0000021B9FE68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2433812655.0000021B9FC01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000002.2433812655.0000021B9FDF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:60
                                                                                                                                                                                                                                        Start time:16:19:10
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:61
                                                                                                                                                                                                                                        Start time:16:19:12
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x7ff7c3be0000
                                                                                                                                                                                                                                        File size:159'824 bytes
                                                                                                                                                                                                                                        MD5 hash:0B7534A49A757D7525F7FC966D6CAF5F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2397258880.0000016E37230000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2397258880.0000016E3723C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:62
                                                                                                                                                                                                                                        Start time:16:19:12
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:63
                                                                                                                                                                                                                                        Start time:16:19:13
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "65366384-0818-4769-8be6-b22dcbed5d6a" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x2666a030000
                                                                                                                                                                                                                                        File size:396'336 bytes
                                                                                                                                                                                                                                        MD5 hash:B50005A1A62AFA85240D1F65165856EB
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.0000026600583000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2956018574.000002666C145000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2860865553.000002666A1DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.00000266006ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2953973348.000002666BF37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2858760946.000002666A150000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2858446424.000002666A120000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2954955448.000002666C142000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2913714359.000002666B200000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.0000026600292000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.00000266000E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.000002660029B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.00000266006B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2860865553.000002666A1A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.0000026600669000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.00000266006C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.0000026600001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.00000266005E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2860865553.000002666A223000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.00000266006A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.0000026600437000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2860865553.000002666A1BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2860865553.000002666A1DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2960856979.000002666C2A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.00000266004A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2957807940.000002666C159000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2860865553.000002666A1A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.0000026600288000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2960856979.000002666C353000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.3208117790.00007FFDEE599000.00000004.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2592969488.00000266006F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:64
                                                                                                                                                                                                                                        Start time:16:19:13
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:65
                                                                                                                                                                                                                                        Start time:16:19:16
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "3dfb1fdc-c036-4dd8-a0b7-edb6435936db" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x7ff7c3be0000
                                                                                                                                                                                                                                        File size:159'824 bytes
                                                                                                                                                                                                                                        MD5 hash:0B7534A49A757D7525F7FC966D6CAF5F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2437644613.000001C6F6C80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2437644613.000001C6F6C88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:66
                                                                                                                                                                                                                                        Start time:16:19:16
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:67
                                                                                                                                                                                                                                        Start time:16:19:17
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "75ab4df9-c133-4579-b7d8-550817dd1a43" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x226c2fe0000
                                                                                                                                                                                                                                        File size:219'696 bytes
                                                                                                                                                                                                                                        MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2504935343.00000226C3150000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2620317509.00000226DC37A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2620317509.00000226DC325000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2546667690.00000226C3E2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2620317509.00000226DC367000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2546667690.00000226C3C0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2546667690.00000226C3D66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2546667690.00000226C3E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2504935343.00000226C3110000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000000.2450547233.00000226C2FE2000.00000002.00000001.01000000.0000003E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2620317509.00000226DC2B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2504935343.00000226C315C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2546667690.00000226C3C10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2546667690.00000226C3BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2504935343.00000226C319C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2504935343.00000226C311C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2546667690.00000226C3E2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2536504247.00000226C34B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2546667690.00000226C3E25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000043.00000002.2546667690.00000226C3E2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:68
                                                                                                                                                                                                                                        Start time:16:19:18
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:69
                                                                                                                                                                                                                                        Start time:16:19:18
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 219cfac1-8d31-4145-a06a-203fddd623c4 "c93ea641-684b-4df2-9842-dc4e21d806d8" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000CDtpOIAT
                                                                                                                                                                                                                                        Imagebase:0x2ac71f70000
                                                                                                                                                                                                                                        File size:52'272 bytes
                                                                                                                                                                                                                                        MD5 hash:3180C705182447F4BCC7CE8E2820B25D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2579143836.000002AC72112000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2579143836.000002AC7215E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2579143836.000002AC720F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2578008790.000002AC72090000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2579143836.000002AC720D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2478492310.000002AC001C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2579143836.000002AC720DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2478492310.000002AC0014D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000000.2456310800.000002AC71F72000.00000002.00000001.01000000.00000041.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2605588248.000002AC722E2000.00000002.00000001.01000000.0000004C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2611670270.000002AC73040000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2478492310.000002AC0039C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2611670270.000002AC7308F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000045.00000002.2478492310.000002AC00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:70
                                                                                                                                                                                                                                        Start time:16:19:18
                                                                                                                                                                                                                                        Start date:05/08/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 06E21630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $fq$$fq
                                                                                                                                                                                                                                          • API String ID: 0-2537786760
                                                                                                                                                                                                                                          • Opcode ID: 8fccaa78ad00e0b0a9c16a15d9abebd5a499f30daed9b37eee00eaf746bd6686
                                                                                                                                                                                                                                          • Instruction ID: d9caf10d0a8d9feadb7023510104c4007432404e8325e1426aa9727ee8bf41cc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fccaa78ad00e0b0a9c16a15d9abebd5a499f30daed9b37eee00eaf746bd6686
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE51C375B003169FCB55DFB8D8406EEBBF6EFCA250B14812AD914D7394DA309D42C7A1
                                                                                                                                                                                                                                          Function 06E21080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq
                                                                                                                                                                                                                                          • API String ID: 0-3225323518
                                                                                                                                                                                                                                          • Opcode ID: dd9b38041761b12474eb02a4dc5e0c4be9cab63f7978ee3aa053640edd42a40e
                                                                                                                                                                                                                                          • Instruction ID: de2c018fb8ffb564ebd7cbabc5a9fd537c6c71a20e93297062773785461756d8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd9b38041761b12474eb02a4dc5e0c4be9cab63f7978ee3aa053640edd42a40e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A571C375F002259FEB449BB4C854AAEB7A7FFC8300F149029E606AB3A0DF719D42D790
                                                                                                                                                                                                                                          Function 06E20E8C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq
                                                                                                                                                                                                                                          • API String ID: 0-3225323518
                                                                                                                                                                                                                                          • Opcode ID: 7713af59b1528fc96b59103b640085c82dfda8d6faaf32b1691de29bb731a3fc
                                                                                                                                                                                                                                          • Instruction ID: 1d12085ac53b946d4edc05c4771ea4077945705623bb930a373c4524698ae8fa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7713af59b1528fc96b59103b640085c82dfda8d6faaf32b1691de29bb731a3fc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32412D35F402265BEB98A7689860BAF679BDFC8710F10543DDA06E7380CE359D0687D0
                                                                                                                                                                                                                                          Function 06E20C1C Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq
                                                                                                                                                                                                                                          • API String ID: 0-3225323518
                                                                                                                                                                                                                                          • Opcode ID: a1609eba570a78a351959b6036afb5514f39c4c06c48c949c1d4787f136b7556
                                                                                                                                                                                                                                          • Instruction ID: 56cc00a5fc430eedfde30e6a74a41f019e1cc07784084820637ab0799f8966bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1609eba570a78a351959b6036afb5514f39c4c06c48c949c1d4787f136b7556
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F516634A00315AFEB589B68C8647AE3FB7EFC8310F144429D606E7381CE399C06CB91
                                                                                                                                                                                                                                          Function 06E22644 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq
                                                                                                                                                                                                                                          • API String ID: 0-3225323518
                                                                                                                                                                                                                                          • Opcode ID: 139cdccfe47c566fbc1d311be8b88ce7f47d7ed3d716444d7d3bb7aa4d14eb78
                                                                                                                                                                                                                                          • Instruction ID: 230505e91eee37b8e093e6cf911d8774ed7a90e68096aab941fa90c2ea994c14
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 139cdccfe47c566fbc1d311be8b88ce7f47d7ed3d716444d7d3bb7aa4d14eb78
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9318D21F183650FEB696678585437E3FDB8FC5218F0484BADB05CB386DE689D024391
                                                                                                                                                                                                                                          Function 06E22764 Relevance: .4, Instructions: 394COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 65b3a22a5124d6c4dfb86f041130fc707efaa31bea33312bdf0a0b07edf01b4d
                                                                                                                                                                                                                                          • Instruction ID: f2394ce8465b15b641596ad4f8ddbac075b44c7ac8ae2adfa57f0cc4df561207
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65b3a22a5124d6c4dfb86f041130fc707efaa31bea33312bdf0a0b07edf01b4d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1E06DB5C153068FAB90EB6895412AABFF2AE5521872046EAC849D2610E73296038B91
                                                                                                                                                                                                                                          Function 06E223B8 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 12e8436aa0b7dca73987b9ca162970c5f9c0f64a912913fd680f6142d8ffe4a8
                                                                                                                                                                                                                                          • Instruction ID: 12e1395348111dba74106982bf4fe4f2dfd2d7f088029264b7e7de9d9db27a62
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 12e8436aa0b7dca73987b9ca162970c5f9c0f64a912913fd680f6142d8ffe4a8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23510631B053228FD710CB68D894A6EBBB2FF45308B15D1A6EA18DB262DB31DD42C791
                                                                                                                                                                                                                                          Function 06E21A48 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1aa1a3fb17b834b74af05564948235cc744e1e95fbfdd221ae8f6fa922998ed9
                                                                                                                                                                                                                                          • Instruction ID: dde96ad75d51d28d103dea386e54df78bac1836a18b6385c1c68b3657ab30792
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1aa1a3fb17b834b74af05564948235cc744e1e95fbfdd221ae8f6fa922998ed9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A318D7EF0436A6FD3545AB868216AE7B27DBE2200B056076C7048F266DD669D07C3E1
                                                                                                                                                                                                                                          Function 06E21D58 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b885033700ae97f1dc87005f91efae777cc55d93d7a2576423406da7946b95d7
                                                                                                                                                                                                                                          • Instruction ID: 3e2cc201664ef739c78ba779d04149c901bf8af86f717c059b92f5a6d7262060
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b885033700ae97f1dc87005f91efae777cc55d93d7a2576423406da7946b95d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B741E035A0431AAFDB84DBA4D8207EE7FB7DFD8215F104029DA0997381CE359E46CB91
                                                                                                                                                                                                                                          Function 06E21F08 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 864b53481173bda591e3767e4256083472fc3e68a3a8282497267f96746a829e
                                                                                                                                                                                                                                          • Instruction ID: ee0587108f1aff8281520f72f11c718b70b060613da9dd5d6441deb29fc06ea5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 864b53481173bda591e3767e4256083472fc3e68a3a8282497267f96746a829e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE319B3AF043662FEB155671681176F7F2BDFD1290B25602BDB08CF195DA259D02C3B0
                                                                                                                                                                                                                                          Function 06E22268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 91c136b5ef4d2d834680d343859d2202b9636f0d3f828ccfb854c6874ea567d7
                                                                                                                                                                                                                                          • Instruction ID: 367697d11ae30e89563a3904052b8c28e8ecaed39fd884c6ce0c3e827aa73d2f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91c136b5ef4d2d834680d343859d2202b9636f0d3f828ccfb854c6874ea567d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8414A35B002159FCB44DF68D98499EBBB6FF89710B14816AE905EB364DB31DD42CBA0
                                                                                                                                                                                                                                          Function 06E22A98 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 69f772f01ec9fa778922db32ef6cf251818d9805ef39e251aeb478f9e3b29e9a
                                                                                                                                                                                                                                          • Instruction ID: 14fa86526b247c22063bf393586040728438f3c34087c79e045b70a18f5ac302
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69f772f01ec9fa778922db32ef6cf251818d9805ef39e251aeb478f9e3b29e9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B21C021B193620FEBB95635585037E2FAB4FC5318F0450BACB01C73C6DE689D0243A1
                                                                                                                                                                                                                                          Function 06E22664 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b7bca11964bbb6f78381dc86f839e234d8968eb63f7bd6505a7eebe4ceeafbd1
                                                                                                                                                                                                                                          • Instruction ID: 3c35b0e9afdae5c8298c320c1313c475dca43cccc84305dc09b06bc5ac163d93
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7bca11964bbb6f78381dc86f839e234d8968eb63f7bd6505a7eebe4ceeafbd1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4921AD32E423776FE78126B428153EE3F5ACF82664F119473EF189F151C914CA878391
                                                                                                                                                                                                                                          Function 06E21050 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dd9ecdb446eb9b3e46093e700fc658c71c9d5f8a165739b90cf72702c7b1b08e
                                                                                                                                                                                                                                          • Instruction ID: c6112e9324f083169996fa4c2ee07b05ac09be0cd9ffed056cab6a18c4d58afd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd9ecdb446eb9b3e46093e700fc658c71c9d5f8a165739b90cf72702c7b1b08e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E212832F003659BEB049A7588546EE7BABDFC5258F045076DA02DB241EE31DE0AC791
                                                                                                                                                                                                                                          Function 06E21BB0 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab311926fbe099c9cc92bd054be335de53d4309462fd94900253e2556d9eb7a1
                                                                                                                                                                                                                                          • Instruction ID: f716cee5bd72c8ad00bb56e8ecc28949e2dc528f9db6bf4b41c3b10bd8efcaa3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab311926fbe099c9cc92bd054be335de53d4309462fd94900253e2556d9eb7a1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65115529F093A12FEB5A667548503AB2F6A9FD1654F0840AACE458F393DF248D038390
                                                                                                                                                                                                                                          Function 06E20F20 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c3b83506b9b19206eb9a08a9f8ae2d3d5a534e720c313f2cb45bc5a407775a0c
                                                                                                                                                                                                                                          • Instruction ID: d635a85615a4235a2b8f570f960446bca1c4587d95e64500fa28eece9d6fb661
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3b83506b9b19206eb9a08a9f8ae2d3d5a534e720c313f2cb45bc5a407775a0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B501666EB093721BDB6962791C912AF6F5F9FC6A20F145466DE18CB341DD248D0282E1
                                                                                                                                                                                                                                          Function 06E22258 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4a06af2449a43756deea81e61b05812f4134c03e326b06bc6a9db91cbdddceda
                                                                                                                                                                                                                                          • Instruction ID: c575033413ec4d157c1954be516867914b7dc47fe5f52f8addc7986b1f7d9f7e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a06af2449a43756deea81e61b05812f4134c03e326b06bc6a9db91cbdddceda
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB214D75E102159FCB44DF69D88499EBBF2FF8C710B108129E915EB364DB319942CB90
                                                                                                                                                                                                                                          Function 06E21378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e0399d37d0824ba8f2bc0ba2069d4bba10c01aa8a55263edc7c6cbd7183969ff
                                                                                                                                                                                                                                          • Instruction ID: b2cb5f64c231bcfb5ac946e7d19c1998ab52a7919bf6be44f70fc701949d5093
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0399d37d0824ba8f2bc0ba2069d4bba10c01aa8a55263edc7c6cbd7183969ff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 332127B0D002098FDB10DFAAC985ADEFBF4FF48324F10801AD519A7240C7756945CFA1
                                                                                                                                                                                                                                          Function 06E21958 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 900f1a83bf71016e49660a8bcde07671a277e2c47415d57a9dfad6d609162d24
                                                                                                                                                                                                                                          • Instruction ID: 1f56dfa90e90abc8f64e0a5d3867153e931c5e71132d824b7c14ba43b93c8ab4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 900f1a83bf71016e49660a8bcde07671a277e2c47415d57a9dfad6d609162d24
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A114F79A00215AFDB04DFA4D459AADBBB6EFDC310F144019EA0A97340DF7A9D4ACB90
                                                                                                                                                                                                                                          Function 06E21E20 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 99e00988b1fe4b66cdc50f270bf507fb11fd0e6cc3b5da1e82953c3391e9cdc2
                                                                                                                                                                                                                                          • Instruction ID: a2ddfa4f4095cf5cbe9380e107c0fe37b28c0b5f25ab9c56349716a36ce7dfbd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99e00988b1fe4b66cdc50f270bf507fb11fd0e6cc3b5da1e82953c3391e9cdc2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A114C79A00215AFDB54DF64D854AAD7BBBEFDC310F144029D509A7380CF7A9D46CB90
                                                                                                                                                                                                                                          Function 06E21380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cd9e5aa1a29f9a11dcab55496ef1f66d9d3179e076954eefc5807ac2b5975010
                                                                                                                                                                                                                                          • Instruction ID: f80a25604496f4eebfc8b4b3f6af83658a94be9f0d270de51e90e4b837ed58bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd9e5aa1a29f9a11dcab55496ef1f66d9d3179e076954eefc5807ac2b5975010
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 681106B1D002498FDB20DFAAC985ADEFBF5FF48324F10841AD519A7240C7756905CFA1
                                                                                                                                                                                                                                          Function 06E21968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 15084fc8e2a1c6ad45f628251b6306a0aaf2273ba2ffa5844a2164ee61d526b7
                                                                                                                                                                                                                                          • Instruction ID: 8cab08d9ccba77162645981b7dad2f1b9943e3512e23efa30e023946fd52067e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15084fc8e2a1c6ad45f628251b6306a0aaf2273ba2ffa5844a2164ee61d526b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D110D79A00215AFDB14DFA4D454AAD7BB7EFDC321F144019E60AA7380CF7A9D4ACB90
                                                                                                                                                                                                                                          Function 06E21440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3466b162e602fccded261267ae38749820f74a8b1d0407489efc41f3d32ec251
                                                                                                                                                                                                                                          • Instruction ID: 8d9df1c53f9e4db677fcf287341fc583cad24014a84991db6cb6ad9d3cf28ca9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3466b162e602fccded261267ae38749820f74a8b1d0407489efc41f3d32ec251
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29014738E093465FDB495FB8647122E3FAAEFD110870428AACB09CF162FE24CD02C391
                                                                                                                                                                                                                                          Function 06E2182A Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 463249f618b832559643b969edc35aa73375649a814b94f89787b9bba7b5ec5c
                                                                                                                                                                                                                                          • Instruction ID: 95b826aafdcc7e487b3f25b3d6b9aa86a0883ce9035af7cb02f5bb5efa470778
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 463249f618b832559643b969edc35aa73375649a814b94f89787b9bba7b5ec5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C901D631A0022A97EB58EA6888947EF7BFB9BC8304F10406DD512F7390CE715E0687D1
                                                                                                                                                                                                                                          Function 0474D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1691442490.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_474d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e2918be8e65cd828540e5c44bef9bb4cc1b84dd3d84281d398d036415488e015
                                                                                                                                                                                                                                          • Instruction ID: aa163666c9a50a834992e30d7e5da9393e008ad25b0d584bcef089fef20f04ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2918be8e65cd828540e5c44bef9bb4cc1b84dd3d84281d398d036415488e015
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3012B716083009EE7304E66EDC4B77BF98DF81324F08C91AED884B352D778A841D6B1
                                                                                                                                                                                                                                          Function 0474D005 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1691442490.000000000474D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0474D000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_474d000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8414536d3dc7193fff9dd8f3ef41c018acb6efd04366ea73b2b104a10ad39402
                                                                                                                                                                                                                                          • Instruction ID: 646407434a77014ca1fc6f7503a956fb07db3284fbbd46c4712ae5e182bf8574
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8414536d3dc7193fff9dd8f3ef41c018acb6efd04366ea73b2b104a10ad39402
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E01806100E3C05EE7128B259894B62BFA4DF43224F18C5DBE9888F2A3C3695844C772
                                                                                                                                                                                                                                          Function 06E225D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f44b487855166d25ad09a0fd075683fdc8bf63d9bf378f72286f0a924991aee1
                                                                                                                                                                                                                                          • Instruction ID: 86734ff154a2be508d00ab91c603fdba02f5c434cf0bd6dc34d580fa7bab84b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f44b487855166d25ad09a0fd075683fdc8bf63d9bf378f72286f0a924991aee1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FDF0B43BB101964BDB0C8678E0582EDBB729BC9224F24807ED943A7684EF355D1ACB90
                                                                                                                                                                                                                                          Function 06E21431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3d3c86fccda9c30049545f453890a47131d6c4a0c3aec9685de303830f808cf9
                                                                                                                                                                                                                                          • Instruction ID: 2a27a9e0a68c29ad0a160cee94848feda580a3d5d18ef54314c0649de34bc698
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d3c86fccda9c30049545f453890a47131d6c4a0c3aec9685de303830f808cf9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68F09678E052565FD74C5FB8517525E3F9AEFE4118704186987098F1A1EE658D02C781
                                                                                                                                                                                                                                          Function 06E22654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 68db54448504b31263e845b053d58a5811e349e54eafd7524790694bc6e342a4
                                                                                                                                                                                                                                          • Instruction ID: 00f00ec3a03288eae2e6afdd4f0fbbf5c93a40a4cc5347448d7f7920b37fb64c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68db54448504b31263e845b053d58a5811e349e54eafd7524790694bc6e342a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DAE09221B3433B0EFBF8256858507B627CF5B81708F002C39CB418BA89D8C4EE4003E2
                                                                                                                                                                                                                                          Function 06E225E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f1a287d062f4b84384aab58bda94be6ec34e564ef776df8b3e737aa7a5a1fa7f
                                                                                                                                                                                                                                          • Instruction ID: f85969b440e6794a973d962fcc80d80f99a6bf23daa3b5afbdbd52e17c810d12
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1a287d062f4b84384aab58bda94be6ec34e564ef776df8b3e737aa7a5a1fa7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DEE0E537F101154BCB089668E4585FDB776EBC8210F108036D902A3744EF341D19CBD1
                                                                                                                                                                                                                                          Function 06E217F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d7fbd27a1efd75a597f950308efd7c0f4df3ec12f79f9fbe62826ea5700176e6
                                                                                                                                                                                                                                          • Instruction ID: 8c365c15c6b1239e628d5c48b023ae52f2a374ea434c186585d2a95262ac3dc8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7fbd27a1efd75a597f950308efd7c0f4df3ec12f79f9fbe62826ea5700176e6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76E0C23320D2541FC7025B20B8161997FB9DB1E51030840A7E8818B2A2DE214D13D3D0
                                                                                                                                                                                                                                          Function 06E22590 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 87b1847369afc5530a9ee91c32e11422cf0151129be0d4fd4f73000f47369bbf
                                                                                                                                                                                                                                          • Instruction ID: 1140973cb4c855ed674d14aa375e41bfc67b23a9111c5e519147987b4a4cbe4c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87b1847369afc5530a9ee91c32e11422cf0151129be0d4fd4f73000f47369bbf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42E0C2B11453000FE70AA3B0B9453DD2F61DFD1908B038DA6D9428F163EF20AC8B9381
                                                                                                                                                                                                                                          Function 06E22A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3b9553cbdd8c1f1869e0fd1b16f8c1aba9eefaf8bf2adb3a87f8651c0f83bf85
                                                                                                                                                                                                                                          • Instruction ID: 16a6a69e90bbcd37fd7438095cd2c8b56c44b32047dc4490d6774d22e29c176c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b9553cbdd8c1f1869e0fd1b16f8c1aba9eefaf8bf2adb3a87f8651c0f83bf85
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0E017B4D0030A9F8790EFB9894166EBBF9BF49204B1085AEC50CD7600FB729A12CBD1
                                                                                                                                                                                                                                          Function 06E20C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7c6d39f869fefae0b6862b6d10d373726d7f49afdae7541b105e1f351f3d454c
                                                                                                                                                                                                                                          • Instruction ID: e03282be012ee9226fd60bff4265dc7f7889ec90ecc744385115e164a474cae3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c6d39f869fefae0b6862b6d10d373726d7f49afdae7541b105e1f351f3d454c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7D0A73371022D6B97446659DC8A8AE7B9EE7C87603105427FA0183260DDB0AC1193D9
                                                                                                                                                                                                                                          Function 06E20440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 16de83dbe9bab5b0ad36dbb9d4880887e967107ca1e089428da56183cd91189d
                                                                                                                                                                                                                                          • Instruction ID: 4d56c168aaa57c45c220d4b37c0d1776418cd442ef398697daec6b6dc03f2cb8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16de83dbe9bab5b0ad36dbb9d4880887e967107ca1e089428da56183cd91189d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07C08CB2E202248FD1484B44484CAF87360EBB1206B84C0AACA040A020A231111BE919
                                                                                                                                                                                                                                          Function 06E20E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1690000254.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_6e20000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e4df2a56e175cc5a9c4ab28d10dcf38bf2c61a6552639805739b78a26bb83e4c
                                                                                                                                                                                                                                          • Instruction ID: 538a69e73c8727dbf6f50eefc53b00026d088b0c40ce72ac0e79f5b4bad6ada5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4df2a56e175cc5a9c4ab28d10dcf38bf2c61a6552639805739b78a26bb83e4c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14B012C55442125BB284AB354CD44FB009B97C0300BC0FC4014116004C4C18E0001008

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 043F71D0 Relevance: 9.9, Strings: 7, Instructions: 1109COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1731010675.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_43f0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Plfq$Plfq$Plfq$Plfq$Plfq$reateContract$x kq
                                                                                                                                                                                                                                          • API String ID: 0-864685978
                                                                                                                                                                                                                                          • Opcode ID: 6d1ff4d330fb707ff96f3b97bb9768b9f06fd833cfda92954abac020da6fc44d
                                                                                                                                                                                                                                          • Instruction ID: 0274dadaa91c53cb8c157848e07d56e4057b5954cd25942486f2a879ee0bcb46
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d1ff4d330fb707ff96f3b97bb9768b9f06fd833cfda92954abac020da6fc44d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF925874700605CFDB14DF68C894A6EBBF6BF88304F2594A9E5469B3A1DB35EC42CB90
                                                                                                                                                                                                                                          Function 04306C20 Relevance: 2.9, Strings: 2, Instructions: 378COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-1104314950
                                                                                                                                                                                                                                          • Opcode ID: 84477d1697e6db405b1d609fec0e466e1fe1edda58ac0d81ba6a67e606edf424
                                                                                                                                                                                                                                          • Instruction ID: b546af1b759847813eccd6eff2006d7b4a3880ad37deed23ae09b7b242c96304
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84477d1697e6db405b1d609fec0e466e1fe1edda58ac0d81ba6a67e606edf424
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0ED1BF70B006558FC7249FB8C4A466F7BE6BF89310B249659E4469B3D9DB34FC42CB81
                                                                                                                                                                                                                                          Function 043F0040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1731010675.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_43f0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;fq
                                                                                                                                                                                                                                          • API String ID: 0-2617567484
                                                                                                                                                                                                                                          • Opcode ID: a9ea64af02b1a0ca750383d93fa181f546f6b2c9634964f119a113ff8d9740e4
                                                                                                                                                                                                                                          • Instruction ID: 350e77ed2cae66284c13526e39ea84f4c146fa06f640da955dd34578d7348741
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9ea64af02b1a0ca750383d93fa181f546f6b2c9634964f119a113ff8d9740e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA226B30A1061ACFDB14EF78C8446ADB7B6FF89300F1192A9D946BB251EF74AD85CB50
                                                                                                                                                                                                                                          Function 0430746A Relevance: 20.9, Strings: 16, Instructions: 911COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: hq$$&gq$(_fq$4'fq$4'fq$4'fq$4'fq$4cfq$4cfq$@bfq$|-gq$$fq$$fq$cfq$cfq$hq
                                                                                                                                                                                                                                          • API String ID: 0-2851686461
                                                                                                                                                                                                                                          • Opcode ID: c099db7318b605a8acd97cddbf92e246609b8b27d8775ccca9f5bfc0adb0b207
                                                                                                                                                                                                                                          • Instruction ID: 4f744de1aed7be2edd9ec8e40c193bac2a2800cd8806a84743ca4a7b7473a0d4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c099db7318b605a8acd97cddbf92e246609b8b27d8775ccca9f5bfc0adb0b207
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ECA20771900218DFDB25AF60C894AEEBBB2FF89300F1055E9D5096B290DF769E85DF81
                                                                                                                                                                                                                                          Function 043074C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: hq$$&gq$(_fq$4'fq$4'fq$4'fq$4'fq$4cfq$4cfq$@bfq$|-gq$$fq$$fq$cfq$cfq$hq
                                                                                                                                                                                                                                          • API String ID: 0-2851686461
                                                                                                                                                                                                                                          • Opcode ID: 3b623a613340759de2e568dfada86e54e9905ea841ad61c7fa7bc7030f017711
                                                                                                                                                                                                                                          • Instruction ID: cd2f7a5a92814ea1923aec250729b65f67e8ac9f876a3cb5c4844f2bb4e81350
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b623a613340759de2e568dfada86e54e9905ea841ad61c7fa7bc7030f017711
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8892E571900218DFDB25AF60C895AEEBBB2FF89300F1055E9D5096B290DF769E81DF81
                                                                                                                                                                                                                                          Function 0430B9F8 Relevance: 6.5, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$(jq$(jq$(jq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-3544919295
                                                                                                                                                                                                                                          • Opcode ID: 68701ac89d04c967b492c88e3d014d3cd27afc9f5f109fa9d0dc969ae07582ea
                                                                                                                                                                                                                                          • Instruction ID: 097488ce17225b528af7159bb831da00ba8de50b516bc18717148a637cc47d1e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68701ac89d04c967b492c88e3d014d3cd27afc9f5f109fa9d0dc969ae07582ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C81A075B001148FDB14DFB9D4646AEBBE6EF88710B1480BAD50ADB3A1EE34ED018B95
                                                                                                                                                                                                                                          Function 0430B688 Relevance: 5.2, Strings: 4, Instructions: 214COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$\;fq$reateContract$|eq
                                                                                                                                                                                                                                          • API String ID: 0-966877728
                                                                                                                                                                                                                                          • Opcode ID: 3ae29fe402cd453f80c8870617f7f2d9fa7c71338f0968832f7bfffcd88988d4
                                                                                                                                                                                                                                          • Instruction ID: 7899fea748bcdf65d1ec88fdd9f64af292c9d3f9e39e8a8ec783a8da2d677043
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ae29fe402cd453f80c8870617f7f2d9fa7c71338f0968832f7bfffcd88988d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0661E6B5B0011A4BD7149BAAD86067FF6ABBFD4744B10D12AD806D73E4EE34FC0297A1
                                                                                                                                                                                                                                          Function 04301080 Relevance: 5.2, Strings: 4, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$cessPermission$ctions.IList.get_Item$rialization
                                                                                                                                                                                                                                          • API String ID: 0-2191824092
                                                                                                                                                                                                                                          • Opcode ID: 74cafe4a02d048b982e26a64c578a054abb36e8d706361beffffa0fff3852180
                                                                                                                                                                                                                                          • Instruction ID: 3667df540700d3dd687ca95ae19285092aefbe009cefa6fbdc8570e51ecbd748
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74cafe4a02d048b982e26a64c578a054abb36e8d706361beffffa0fff3852180
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A471B271B102149BDF089BB9C86476EBAB7AFC8300F14D169E506AB3A0DE31EC429B41
                                                                                                                                                                                                                                          Function 04300C1C Relevance: 5.2, Strings: 4, Instructions: 151COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$erializedCallbacks$harpFuncCall$ion
                                                                                                                                                                                                                                          • API String ID: 0-2286762148
                                                                                                                                                                                                                                          • Opcode ID: 81ab7da655cbb14f154857439c7178455f9bffd6377b9203dbcbd5b79744790e
                                                                                                                                                                                                                                          • Instruction ID: f68bb9b54e159690877201809be1b5c3fcd20cdceb6199a47a0a4480ade7904f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 81ab7da655cbb14f154857439c7178455f9bffd6377b9203dbcbd5b79744790e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D451C4307042449FEB089B68D4A87AE7BB7EF88315F14805AD50AE73C1DE356D46CB90
                                                                                                                                                                                                                                          Function 043057B8 Relevance: 3.9, Strings: 3, Instructions: 197COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • tem.Collections.Generic.IList<Newtonsoft.Json.Linq.JToken>.Insert, xrefs: 043059A5
                                                                                                                                                                                                                                          • (jq, xrefs: 04305801
                                                                                                                                                                                                                                          • reateContract, xrefs: 04305812
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$reateContract$tem.Collections.Generic.IList<Newtonsoft.Json.Linq.JToken>.Insert
                                                                                                                                                                                                                                          • API String ID: 0-1508425982
                                                                                                                                                                                                                                          • Opcode ID: 06f2917a1ec5fb52f29d91471a0de2267b48f4df87bc27cf3b283dc5ee249e75
                                                                                                                                                                                                                                          • Instruction ID: 1b7edfdf368179bf68f92b042ba180ed5ce4762c4a7fdadad4be10a7d133fd59
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06f2917a1ec5fb52f29d91471a0de2267b48f4df87bc27cf3b283dc5ee249e75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE5190B15093808FD70ADF78D8A06557FF5EF46214B0A44FBC584CF1A7EA38989ACB52
                                                                                                                                                                                                                                          Function 0430A228 Relevance: 3.9, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$(jq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-2087402787
                                                                                                                                                                                                                                          • Opcode ID: abef94ca559c62f5f2579c883bf66959a52ef81920147d84dfff9441c518dadb
                                                                                                                                                                                                                                          • Instruction ID: e7cddf263687eba3767b2aaed9fbfcf5d486d480f02b7819d48ab7e7afe9dc85
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abef94ca559c62f5f2579c883bf66959a52ef81920147d84dfff9441c518dadb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9341F534B042449FDB15DB68D494B9EBBF6EF98310F2491A9D905AB381CF35ED02CB90
                                                                                                                                                                                                                                          Function 043085C0 Relevance: 2.9, Strings: 2, Instructions: 420COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$d
                                                                                                                                                                                                                                          • API String ID: 0-51203222
                                                                                                                                                                                                                                          • Opcode ID: 26cc27e5392dac227827fe15f9206ecd7ef6a18ce68af101cc233dce4908d9dd
                                                                                                                                                                                                                                          • Instruction ID: dfd3c611cbcc23c0111e172cc0f9d7e4cb7ddfd3616bfeb205d9a428c7f61456
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26cc27e5392dac227827fe15f9206ecd7ef6a18ce68af101cc233dce4908d9dd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEF18C74A006058FD728DF19C490A6ABBF2FF88314B15DA69D45ADB7A5DB30FC42CB90
                                                                                                                                                                                                                                          Function 043099B8 Relevance: 2.8, Strings: 2, Instructions: 336COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-1104314950
                                                                                                                                                                                                                                          • Opcode ID: 3c958e49890ae5d8ff022bbf9201d779149af0dcc030aee898a5bff0d5aedee1
                                                                                                                                                                                                                                          • Instruction ID: 33dc97daf0372a0c2557a493a005ad275a7fc4f4f94dae4eac6be2b0196acb84
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c958e49890ae5d8ff022bbf9201d779149af0dcc030aee898a5bff0d5aedee1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6E12B74A003598FCB05DFA8C498A9DBBF2FF89300F159295D809AB396DB74ED45CB50
                                                                                                                                                                                                                                          Function 0430E1F0 Relevance: 2.8, Strings: 2, Instructions: 322COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Akq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-2560084027
                                                                                                                                                                                                                                          • Opcode ID: aa7cb14e3ad909c1b9843d4f8cafd9c9d6403445901f0be0a493ebdaa20873e5
                                                                                                                                                                                                                                          • Instruction ID: 793d8e76423151c6af405dd88668a5e08e13530b93174db7b9a4005a5c7107cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa7cb14e3ad909c1b9843d4f8cafd9c9d6403445901f0be0a493ebdaa20873e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0C17074B102198FDB14DFA9D5A46AEBBB6BF88300F149569D406EB394EF74EC06CB40
                                                                                                                                                                                                                                          Function 04306048 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-1104314950
                                                                                                                                                                                                                                          • Opcode ID: 0f327c63e174cc2e8d2f0aa94a8c69bcf7fd41d591837af29fad8fdedbf422ed
                                                                                                                                                                                                                                          • Instruction ID: b2bc0db4720e64a6671effd6d07be2cd3e9b6e2de5b2ad707fb92abaf2f00ffe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f327c63e174cc2e8d2f0aa94a8c69bcf7fd41d591837af29fad8fdedbf422ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1714C75E102089FEB09EBE4C4506DEBFB3EF89310F106469D2067B3A0DE35AD459B52
                                                                                                                                                                                                                                          Function 04301630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $fq$$fq
                                                                                                                                                                                                                                          • API String ID: 0-2537786760
                                                                                                                                                                                                                                          • Opcode ID: de61e47d060a6c97b99497ece5d126a821a58e64d0bb3bd582458da5b442ae12
                                                                                                                                                                                                                                          • Instruction ID: 8f30dff53712107c7301e387f8e1b06dccaee9eb09a2b384b817361bd2aaaa80
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de61e47d060a6c97b99497ece5d126a821a58e64d0bb3bd582458da5b442ae12
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2851C075B002098FDB15DF78D8606AEBBF6FFC9350B14822AD815D73A4DA31AD02D791
                                                                                                                                                                                                                                          Function 0430C4D8 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-1104314950
                                                                                                                                                                                                                                          • Opcode ID: 0fbdaaef56e25493f1ed8dd35d0beb8c67aa63b492ba557db4ea3de232ff2650
                                                                                                                                                                                                                                          • Instruction ID: 163a7db65494e3c0b6774613b1f32c4e8fabc677217daa00a2cda06ccf038688
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0fbdaaef56e25493f1ed8dd35d0beb8c67aa63b492ba557db4ea3de232ff2650
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC51D6353007018FD729CB25D494A2ABBE6EFC5300B08EBA9D4468B791DE35FC46CB90
                                                                                                                                                                                                                                          Function 043030EC Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$LRfq
                                                                                                                                                                                                                                          • API String ID: 0-985239907
                                                                                                                                                                                                                                          • Opcode ID: bc7e4387ad7f4d954515bfa450c50a5720cc3105971d1d667867d35c298936fb
                                                                                                                                                                                                                                          • Instruction ID: 8998e2f0d8c437951188f7aacec98e15a80e49af5a0fb8cc79a51f32ac542924
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc7e4387ad7f4d954515bfa450c50a5720cc3105971d1d667867d35c298936fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA412F74B042145FEB089B78A86877F3BA7EF84704F0085A9E906C72C1EE34AC468781
                                                                                                                                                                                                                                          Function 0430EA88 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-1104314950
                                                                                                                                                                                                                                          • Opcode ID: 42ad93d483514d8701e697d40483dfb1bb34bc635e44b4a1eb5e9d4346e8ea8a
                                                                                                                                                                                                                                          • Instruction ID: ba4ea890e02f867426651fce8b5462c0deaf3cf71e2da20589a62d0bf3b37cae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42ad93d483514d8701e697d40483dfb1bb34bc635e44b4a1eb5e9d4346e8ea8a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D831CD71B102058FDB089B6DD4A597EBBA7EFC8250B149979E906DB390EF30EC018B91
                                                                                                                                                                                                                                          Function 043045C8 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-1104314950
                                                                                                                                                                                                                                          • Opcode ID: b6ef6d0985cddcad0983600db6704b9babf2f02a80b1bb9288a82c34f7a5e4ed
                                                                                                                                                                                                                                          • Instruction ID: 2d39bff232dcc7feaae947b3248f2da1e2f4f7e2c1e98922238cbaada8764c72
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6ef6d0985cddcad0983600db6704b9babf2f02a80b1bb9288a82c34f7a5e4ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E02144747042004FE704AB2CE45886A7BE7EFDD31471985A9E649CB391EF21EC03CB81
                                                                                                                                                                                                                                          Function 04301062 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: cessPermission$ctions.IList.get_Item
                                                                                                                                                                                                                                          • API String ID: 0-2620053380
                                                                                                                                                                                                                                          • Opcode ID: 5affe3c6e3a43208f60eaaf53f7e0df4dd4461b2c1d07cc67186ab95058c124d
                                                                                                                                                                                                                                          • Instruction ID: e5f3fbba0812b73266057ce82aa2e717a51015368058173f4eaf584e505053bf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5affe3c6e3a43208f60eaaf53f7e0df4dd4461b2c1d07cc67186ab95058c124d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B121D772B102149BDB18CB78D8A46AEB7FADB88341F04816AD506D7281EA75E9428791
                                                                                                                                                                                                                                          Function 043F9FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 043F9FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1731010675.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_43f0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: f97d239497f321d812688ad40aa4832c3f8fb8f381a31b69b7a5da177900a961
                                                                                                                                                                                                                                          • Instruction ID: 37e7c03a9b53743f602b49372a54e28bac6e7fdd9b6f0bc552270a8ac44e7bff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f97d239497f321d812688ad40aa4832c3f8fb8f381a31b69b7a5da177900a961
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2110A35A012069FDF10EA78F8503EDB7A5EB89328F149125DE1963390EB36B948CB50
                                                                                                                                                                                                                                          Function 043F9FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 043F9FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1731010675.00000000043F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 043F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_43f0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: f3404fbbea923bafe936152ad95dca67f987563ac9222699d4d968fe445d1c1d
                                                                                                                                                                                                                                          • Instruction ID: 53377b5c3152ed8bbfc46186a7ef6dec5c9618b9a745ec4bf7c60a7702f63e05
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3404fbbea923bafe936152ad95dca67f987563ac9222699d4d968fe445d1c1d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7112C35A013069FDF10DE34E9903EDBBA5DF49368F149114DE1963290EB36B90ACB50
                                                                                                                                                                                                                                          Function 043068E0 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq
                                                                                                                                                                                                                                          • API String ID: 0-3225323518
                                                                                                                                                                                                                                          • Opcode ID: 4bce8a1a1f41c468974d24b8d240e6b21f243b008966f783223461d1bd82a6cf
                                                                                                                                                                                                                                          • Instruction ID: 7fd0c6919aceaf63b998fec80516626addaca121c26e147c12f657f718f679f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bce8a1a1f41c468974d24b8d240e6b21f243b008966f783223461d1bd82a6cf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9614B7AB001059FCB01DF68D8809AABBF6FF8D310B1481A9E919DB361DB31ED15DB90
                                                                                                                                                                                                                                          Function 043034A8 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • t_TypeNameAssemblyFormat, xrefs: 04303672
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t_TypeNameAssemblyFormat
                                                                                                                                                                                                                                          • API String ID: 0-1464162409
                                                                                                                                                                                                                                          • Opcode ID: 947845bea0c309d42cd65c763def2e6c9fabc95a619b47ec777eb4f69626dbca
                                                                                                                                                                                                                                          • Instruction ID: 2bda0d16ee50a5ceda02be5c75d50800207d7ba3714b68dda7def1bd9c19fbca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 947845bea0c309d42cd65c763def2e6c9fabc95a619b47ec777eb4f69626dbca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1851CB747002055BCB05DB28E5A456EB7B3EFC4304F109A69E509EB354EF70ED4A9BD1
                                                                                                                                                                                                                                          Function 043034B8 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • t_TypeNameAssemblyFormat, xrefs: 04303672
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: t_TypeNameAssemblyFormat
                                                                                                                                                                                                                                          • API String ID: 0-1464162409
                                                                                                                                                                                                                                          • Opcode ID: b4b724031acc310e389a8f9da5ab2f107329ca2b45119036c09d8911664fd476
                                                                                                                                                                                                                                          • Instruction ID: c1124a5639c7b4deaa88a0b958db1fd226582c687cca6fc891f8472c1b85c07a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4b724031acc310e389a8f9da5ab2f107329ca2b45119036c09d8911664fd476
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC51E7747002065BCB05EB28E9A052EB7B3EFC4300B109A69E509EB354EF70FD4A9BD1
                                                                                                                                                                                                                                          Function 0430E428 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Akq
                                                                                                                                                                                                                                          • API String ID: 0-2492550396
                                                                                                                                                                                                                                          • Opcode ID: 88a0600fcf7390cba945f645bfa7740b75347123a84b64463a8cd9dd393ab00e
                                                                                                                                                                                                                                          • Instruction ID: 7f2383554f6f46c1ad92b4b61e744f153fb06648aebf35209a069c65720e78f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88a0600fcf7390cba945f645bfa7740b75347123a84b64463a8cd9dd393ab00e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96417D70B10215DFDB14DF69D8A4AAEB7B2BF88340B149529D412EB390EF74AC01CF91
                                                                                                                                                                                                                                          Function 0430E438 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Akq
                                                                                                                                                                                                                                          • API String ID: 0-2492550396
                                                                                                                                                                                                                                          • Opcode ID: 101a38e86138c442bcb701c2b756f5ce656df19baf1918dba55f1ee0524b1448
                                                                                                                                                                                                                                          • Instruction ID: d01b95704f2171a8b66b49e2cf8eceb121bf53fc72080e934a807281332c9ede
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 101a38e86138c442bcb701c2b756f5ce656df19baf1918dba55f1ee0524b1448
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90417D70B10215DFDB14DFA9D8A4A6EBBB2BF88340F109529D412AB390EF74AC05CF91
                                                                                                                                                                                                                                          Function 0430858F Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq
                                                                                                                                                                                                                                          • API String ID: 0-3225323518
                                                                                                                                                                                                                                          • Opcode ID: 02f81e1c5b789071cafe250cf374c48f9d94dec4c1b7d237d56ffe40163f4414
                                                                                                                                                                                                                                          • Instruction ID: 29f5c7c49a9c7b777c11a69fc28baaebf8acab4733bd4b99b8920b099a6e94ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02f81e1c5b789071cafe250cf374c48f9d94dec4c1b7d237d56ffe40163f4414
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F41AC39A006058FDB18DF18C490A6AB7F2FF89314B16EA59D456AB391CB30F841CF54
                                                                                                                                                                                                                                          Function 043085B0 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq
                                                                                                                                                                                                                                          • API String ID: 0-3225323518
                                                                                                                                                                                                                                          • Opcode ID: e83038690997308258821fc8f6831a178d8245752b47aed25c73dbc622c88630
                                                                                                                                                                                                                                          • Instruction ID: 191e8f81603c60a242666dcab8ebcb0b1284c4e09a6856f1de3d9ac91f4dd709
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e83038690997308258821fc8f6831a178d8245752b47aed25c73dbc622c88630
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9417B78A006058FDB18EF19C490A6AB7F2FF89314B15DA69D45AAB3A1DB30FC41CF54
                                                                                                                                                                                                                                          Function 04303719 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRfq
                                                                                                                                                                                                                                          • API String ID: 0-2333822924
                                                                                                                                                                                                                                          • Opcode ID: 399911a2392f94c2aa8ae7ed019b50d63e090b159e1ae42b8710d675aea8a414
                                                                                                                                                                                                                                          • Instruction ID: 94564c0504c2c58838aee55ee929f3f3be61c51d26aa7a25964ceb02e9add942
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 399911a2392f94c2aa8ae7ed019b50d63e090b159e1ae42b8710d675aea8a414
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0421B0B1B042055FEB58CE28E8A577F77BAEB84604F10966DE80AC72D4EB34A8058740
                                                                                                                                                                                                                                          Function 0430AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;fq
                                                                                                                                                                                                                                          • API String ID: 0-2617567484
                                                                                                                                                                                                                                          • Opcode ID: 7a8721259450655a8a2b6ba232002ba4775e1e67c753236312071b04c2e3639f
                                                                                                                                                                                                                                          • Instruction ID: 2d558fea088bce52b04e13e3d93b00eadfcc36fb69ed4b9d1099926775da4e06
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a8721259450655a8a2b6ba232002ba4775e1e67c753236312071b04c2e3639f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 521173723042014F9B149AAEB89496BF7EEEFD8265724D13BE50DC7794DE61FC014350
                                                                                                                                                                                                                                          Function 0430310C Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ssion
                                                                                                                                                                                                                                          • API String ID: 0-246655464
                                                                                                                                                                                                                                          • Opcode ID: ac3da77be729f27f79d5a3bb386d405ff06106e46de5323b05e8f7f88a009a28
                                                                                                                                                                                                                                          • Instruction ID: 0b6ace23d28eebde640d72efe8d3a9d478fe2cfe58a4cca00ff896a1cc898396
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac3da77be729f27f79d5a3bb386d405ff06106e46de5323b05e8f7f88a009a28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39119772BA93942FE30126B874307EB3F948F42311F01E4E7DE088B5D2DD28988593C0
                                                                                                                                                                                                                                          Function 04305F38 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRfq
                                                                                                                                                                                                                                          • API String ID: 0-2333822924
                                                                                                                                                                                                                                          • Opcode ID: 610aa8123137133177a771aaff91c416fd37801e934f1dd338dad328a6a59028
                                                                                                                                                                                                                                          • Instruction ID: eb901f8e6ecc80b435c8505244fac6af10550334cc02db3326bad9f565b78e93
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 610aa8123137133177a771aaff91c416fd37801e934f1dd338dad328a6a59028
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12218034B10114DFD7089F69D469AAEBBF6EF88710F10801AE902A7394DF75AC018F91
                                                                                                                                                                                                                                          Function 04305F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRfq
                                                                                                                                                                                                                                          • API String ID: 0-2333822924
                                                                                                                                                                                                                                          • Opcode ID: 2736214bfea0a51609d3cc225651193290313b308b4ca47781be0401f5d8ebdf
                                                                                                                                                                                                                                          • Instruction ID: 9e86a64e97ada78d4ca093a3976c10a3261c533450b2bf9ca997cefa5767619e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2736214bfea0a51609d3cc225651193290313b308b4ca47781be0401f5d8ebdf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA216234B10104DFD7089F69C469AAEBBF6EB8C710F148059E506A7394DF756C01CF95
                                                                                                                                                                                                                                          Function 04303A29 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: harpFuncCall
                                                                                                                                                                                                                                          • API String ID: 0-922225500
                                                                                                                                                                                                                                          • Opcode ID: 998431425e00777f1bd6b63bf2125f15965d6a79cf4ef295e7a6a394f2c14ac7
                                                                                                                                                                                                                                          • Instruction ID: 81ef5323574d10f5d8d5bd15e5ac07fd414b2af5d1e6b58937d02e3903854688
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 998431425e00777f1bd6b63bf2125f15965d6a79cf4ef295e7a6a394f2c14ac7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D216371B00104AFDB05DF68D4A4A9EBBB2EF8C315F148115E809A7780DF7AAC85CB90
                                                                                                                                                                                                                                          Function 043030FC Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: get_Operation
                                                                                                                                                                                                                                          • API String ID: 0-3080211784
                                                                                                                                                                                                                                          • Opcode ID: 1b3f408de444e4cd1d84247b3e680695607deaa237b175d998d93236c35c58d1
                                                                                                                                                                                                                                          • Instruction ID: 83332db3f7d75f451660f501b81b5e5f76df31e954ce9465656d56b1228fc0f1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b3f408de444e4cd1d84247b3e680695607deaa237b175d998d93236c35c58d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C112B20B182581BF728367814743AE1F9A8F82704F0195FACD45CB6C2DDA4EC4143D6
                                                                                                                                                                                                                                          Function 04303370 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fkq
                                                                                                                                                                                                                                          • API String ID: 0-1814508662
                                                                                                                                                                                                                                          • Opcode ID: 22ac6b31b28a275e6ca61914f1f794d6e3322031a0f60cbe7e25f6e272f710b0
                                                                                                                                                                                                                                          • Instruction ID: 2b0cac2a98b74ef3d4ff91528ec77eb113820c553f46e9f2fda9e8f2c8db4b75
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 22ac6b31b28a275e6ca61914f1f794d6e3322031a0f60cbe7e25f6e272f710b0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4911A775B002156BDB049FB5A4545BFBBBAE788700F01802AF905D7384DE349D069B90
                                                                                                                                                                                                                                          Function 04303A38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: harpFuncCall
                                                                                                                                                                                                                                          • API String ID: 0-922225500
                                                                                                                                                                                                                                          • Opcode ID: fb9ae0667e1f231e05d2d5e4430b8ad16bd5e2a4ccf8a49db90cdff2b8f4cf8b
                                                                                                                                                                                                                                          • Instruction ID: ba02198e6b0d242f86a47602ab6919afbcdc3a7477b9bbc75979193a5ff87e0f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb9ae0667e1f231e05d2d5e4430b8ad16bd5e2a4ccf8a49db90cdff2b8f4cf8b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2114570B00204AFDB04DF59D464A9E7BB6EF8C315F148115E409A7390DF76AC45CB90
                                                                                                                                                                                                                                          Function 04303380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fkq
                                                                                                                                                                                                                                          • API String ID: 0-1814508662
                                                                                                                                                                                                                                          • Opcode ID: 372edbe4c7e149d5040b8b815d6781686964576e9cacc02aabdec19507e4a8fc
                                                                                                                                                                                                                                          • Instruction ID: 1143a0680b5e8bcdda685b287848fc840a19c823fda95c2a8e060487d2754715
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 372edbe4c7e149d5040b8b815d6781686964576e9cacc02aabdec19507e4a8fc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87118235B002155FCB049FA9A85897FBBBAFBC8701F11802AF905D7384DE384D069B91
                                                                                                                                                                                                                                          Function 04301958 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: harpFuncCall
                                                                                                                                                                                                                                          • API String ID: 0-922225500
                                                                                                                                                                                                                                          • Opcode ID: 3354c138195531cd8307509e234d2c6f8918f902b7f1b2660a82df55b2d0983c
                                                                                                                                                                                                                                          • Instruction ID: 17fa3d6c71bac55cd6a4e35810dcd3e252601c41a47b68eda486c3eed61853bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3354c138195531cd8307509e234d2c6f8918f902b7f1b2660a82df55b2d0983c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85117275700205EFDB08DFACE4986A9BBB2FF8C312F104019E50997251DF356D95DB90
                                                                                                                                                                                                                                          Function 04301968 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: harpFuncCall
                                                                                                                                                                                                                                          • API String ID: 0-922225500
                                                                                                                                                                                                                                          • Opcode ID: 44ce1977d9b7aabac16e8b1c6646c95f1055c74645c21864540df5e1bb275b10
                                                                                                                                                                                                                                          • Instruction ID: fba7cc6fe8cddde08c682a3797030b0972a258d2d04afdcce22efa6a965c4d0e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44ce1977d9b7aabac16e8b1c6646c95f1055c74645c21864540df5e1bb275b10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED110075700254AFDB08DF58E4A8AA9BBF6EF8C312F148019E50DA7391DF796C85CB90
                                                                                                                                                                                                                                          Function 04301440 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: teFSharpFuncCall
                                                                                                                                                                                                                                          • API String ID: 0-3594741096
                                                                                                                                                                                                                                          • Opcode ID: 309a1e50a2da00776d800526f71d812994901b360d190f5f4b536e619de694b4
                                                                                                                                                                                                                                          • Instruction ID: 08a55e56588a18f9df3cdb3b1b401f2a193afe0719cb506c770894b5ee8308aa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 309a1e50a2da00776d800526f71d812994901b360d190f5f4b536e619de694b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C0147707093454FCB099F7CB9BA1163FB9EFC530031418AAD509CF1E2FE2698058391
                                                                                                                                                                                                                                          Function 0430182A Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: erializedCallbacks
                                                                                                                                                                                                                                          • API String ID: 0-2120432068
                                                                                                                                                                                                                                          • Opcode ID: 56a4380e3a110bc0e76dbca0616ce49afa0edfef015336e734c14f5250e5d498
                                                                                                                                                                                                                                          • Instruction ID: a33ca9337c31445e2d2b24679a752225029ddd14d62f37cae86fa621ac49762d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56a4380e3a110bc0e76dbca0616ce49afa0edfef015336e734c14f5250e5d498
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD018F31B1050A87EB18AA68D5A53EF77B79B88304F248129C105B73C0CF762D06DB94
                                                                                                                                                                                                                                          Function 04301431 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: teFSharpFuncCall
                                                                                                                                                                                                                                          • API String ID: 0-3594741096
                                                                                                                                                                                                                                          • Opcode ID: 972976e9a05a05792bcd2025bc4b5caaf4bf7212ff4efaac455abc874dfb7623
                                                                                                                                                                                                                                          • Instruction ID: 0ac0a980a356d94ffd2c69470b88d23eb99219680a7783f805f6a5299c1a0d80
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 972976e9a05a05792bcd2025bc4b5caaf4bf7212ff4efaac455abc874dfb7623
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18F0F674B041425ECB0C9F7C61BA21A3FBAEEC53143551869D609CB1E1EE369800C391
                                                                                                                                                                                                                                          Function 0430A369 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: reateContract
                                                                                                                                                                                                                                          • API String ID: 0-1761257922
                                                                                                                                                                                                                                          • Opcode ID: acfb3a872f2aec44f48b879a743b3805f3ccb15bfdafb1583c6d5b57f2aa0f85
                                                                                                                                                                                                                                          • Instruction ID: 06e7b806458718e6e3b8d941bf581af5358ecd04cb5995d10e945e73e9c4eb28
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: acfb3a872f2aec44f48b879a743b3805f3ccb15bfdafb1583c6d5b57f2aa0f85
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38F02036B492505FD7592678841825DBF239FA0214F2880FDCA495F382CE2BDC03CB81
                                                                                                                                                                                                                                          Function 04302998 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: emoveAt
                                                                                                                                                                                                                                          • API String ID: 0-1437105614
                                                                                                                                                                                                                                          • Opcode ID: 106c3e7c58c1494cfb478d91c7faaefc61c483bf25a555f0b709940c5630abc3
                                                                                                                                                                                                                                          • Instruction ID: 8a84a35d76abdb8a5328cf5848e633da28bef8d7b0ec08b80583597907277c84
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 106c3e7c58c1494cfb478d91c7faaefc61c483bf25a555f0b709940c5630abc3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0E0D8B16143404BD312D734E8D37C53B72DB84704F4188A6E1415F552DE616C478781
                                                                                                                                                                                                                                          Function 04300C0C Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: eExpression
                                                                                                                                                                                                                                          • API String ID: 0-1055110705
                                                                                                                                                                                                                                          • Opcode ID: eece21c4b71f4f950f2c9a385f5e0cf5aa272901042e520d72b067729c8f3cbc
                                                                                                                                                                                                                                          • Instruction ID: dd4267589f4fed2e30927adcea14b161785fb028bcc3189a5f5f924b767f0dd5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eece21c4b71f4f950f2c9a385f5e0cf5aa272901042e520d72b067729c8f3cbc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61D0973232020C2B8204A608D8A596A7BACEB843613008423F80283650DC207C4093C8
                                                                                                                                                                                                                                          Function 043099A8 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 510548339547663f81be6e960e573571d0fff4caa02446fdd0d9fa39384fd44a
                                                                                                                                                                                                                                          • Instruction ID: 911e8621c4c23082328d6f7e9e6afb3df3e16e7dedce835d31337ee87af94cb1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 510548339547663f81be6e960e573571d0fff4caa02446fdd0d9fa39384fd44a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9D11A74A003598FCB05CFA8C894A9DBBF2FF49300F159295D809AB3A6DB74ED45CB50
                                                                                                                                                                                                                                          Function 0430BE40 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4f6f77e719fdf2afa094b7a1f97b2d378a55accaa1cda63c429c94c4f572b272
                                                                                                                                                                                                                                          • Instruction ID: 1acf24f1082228101d1caf64381455a29ea5a3bd2ea0289d5ad7f5632ee483c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f6f77e719fdf2afa094b7a1f97b2d378a55accaa1cda63c429c94c4f572b272
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BB169747006018FDB19DF28D59496ABBF2FF88300B14A669E8568B3A5DF34EC42CF91
                                                                                                                                                                                                                                          Function 0430BE33 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0f73cb3d9a803baff28e9aadfcbed20bb94840d5af97efafdda355842e8cf7f0
                                                                                                                                                                                                                                          • Instruction ID: 1096c504ff5415b065de9dcfe6ab3382e71ccbb41036332b2f9c4ee35d03b323
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f73cb3d9a803baff28e9aadfcbed20bb94840d5af97efafdda355842e8cf7f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB715974B002019FDB09DF28D49456AFBF2FF88304B149669E85A9B355EF34EC46CB91
                                                                                                                                                                                                                                          Function 0430ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0d71f5ac6c0568216e76bc275a81f2bf8c58116afa4dc89444c5d816b3c99ec2
                                                                                                                                                                                                                                          • Instruction ID: 18642446dccd76c61b61472d2c1219bd2de0ed2a416d379f23b75bb2233b1bac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d71f5ac6c0568216e76bc275a81f2bf8c58116afa4dc89444c5d816b3c99ec2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49511C343046018FDB09EF29E4A492A77E6AFD9711729E1A9E006CB3F1DE71EC41DB40
                                                                                                                                                                                                                                          Function 0430BDDE Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 15394692011e0e9e5cf8ad24b6669efa5be460e71db35cb559290f1263e43152
                                                                                                                                                                                                                                          • Instruction ID: 5e03bfaa00d5820318387984ec91d43bf1c026f1cd01c21a3a3f45106a1ff14d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15394692011e0e9e5cf8ad24b6669efa5be460e71db35cb559290f1263e43152
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51716874B006019FDB09DF24D49456AFBF2FF88204B14AA69E85A9B365DF30EC46CF91
                                                                                                                                                                                                                                          Function 0430E7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5a2cf983c4326d52b3bbd605a5d30709c89c23818a60a7e4d5ca0adaa2fdf255
                                                                                                                                                                                                                                          • Instruction ID: 5f341f1cd06356ae5e84693b94781d45c12842a4ce4a7894971e9061c0d3834f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a2cf983c4326d52b3bbd605a5d30709c89c23818a60a7e4d5ca0adaa2fdf255
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91618F31B002059BCB14EF69D5A9A6EB7F7EF88700B249929D406EB390DF74AC058F91
                                                                                                                                                                                                                                          Function 0430B418 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d5bf02238674a6399faf8083172d4f774efa96474f91929a452f081f9c5ba2d
                                                                                                                                                                                                                                          • Instruction ID: 928f95f16f79bab7bc70a2896d68a606b90f58817e410cb749b23943868a338e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d5bf02238674a6399faf8083172d4f774efa96474f91929a452f081f9c5ba2d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7451B7B150E3D15FE7038B3898A56957F74EF43204F0A51DBD581CF1A3DA34A94AC752
                                                                                                                                                                                                                                          Function 0430BDC0 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9017bec8659791f3a85b1595be8b4da8a88bc013a5a66551e2285ab71b8822f
                                                                                                                                                                                                                                          • Instruction ID: 5cba93987e1e9c37974f5ed59a847a10f3df61b2f5ffea7a24d06fde2cbf0d9c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9017bec8659791f3a85b1595be8b4da8a88bc013a5a66551e2285ab71b8822f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE716974B002018FCB09DF24D49456AFBF2FF88200B14AA69E9568B365DF30EC46CB91
                                                                                                                                                                                                                                          Function 0430BE30 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ccaea25c9f1f454087ef97babba7118bcfa50aa53cac91b2ac0080cff6c7a9eb
                                                                                                                                                                                                                                          • Instruction ID: 25c4d60e4f94bcf32246d2a1872160b92b2be6c4ad1ac618de36388453ef2bb3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ccaea25c9f1f454087ef97babba7118bcfa50aa53cac91b2ac0080cff6c7a9eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05715974B002018FDB09DF24D59456AFBF2FF88200B14AA69E8568B355DF30EC45CB91
                                                                                                                                                                                                                                          Function 0430A92F Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9baf2a7b67af5ccd638fb81d04d668333ebb051f1fef1a156cd5f21f5b46371c
                                                                                                                                                                                                                                          • Instruction ID: 0d42d4c99ef024ceea4253fc281c8952baab6f44e564d3e6d426e00a9e488e56
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9baf2a7b67af5ccd638fb81d04d668333ebb051f1fef1a156cd5f21f5b46371c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9251BEB190D3C19FD703DB7898A45997FB1AF57214F0A55CBC0819F2A3DA38A90ACB52
                                                                                                                                                                                                                                          Function 04306BF1 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9e7d45a38c0a917834415ce458fed8343f778570588bd2d1b71fec85acba54ba
                                                                                                                                                                                                                                          • Instruction ID: a59000e0d31071ba38524d41137bd3ab2b6bd96da9627a7349d7cbcf867cb340
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e7d45a38c0a917834415ce458fed8343f778570588bd2d1b71fec85acba54ba
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E517B70B002069FCB05DF68C995AAEBBF2FF88310B15D569E4059B3A5EB30ED45CB91
                                                                                                                                                                                                                                          Function 04305482 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7b8c42e23305363c4969102d37bc5bdec7d4b0b1d11a1e07cd62ed5b14161e85
                                                                                                                                                                                                                                          • Instruction ID: 5a1aae653e41a2262b516f67a73c7a5d40c5ca637811dc0a939157f33614ae53
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b8c42e23305363c4969102d37bc5bdec7d4b0b1d11a1e07cd62ed5b14161e85
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04512975E10209ABEB06EBE4D8986AEBBB3EF88300F506459D60577390CF356D85DF21
                                                                                                                                                                                                                                          Function 04305490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d9046a269e585013730268cd27f34df325f9590108f15970f41a2c7e70b30de1
                                                                                                                                                                                                                                          • Instruction ID: 6f2d1b0916ae6a526ac610d6c9dbdcdd90d0c01a0d5e2f19b492582bfc7f8705
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9046a269e585013730268cd27f34df325f9590108f15970f41a2c7e70b30de1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62511775E10209ABDB06EBE4D8986AEBBB3EF88300F506419E60577390CF356D85DF61
                                                                                                                                                                                                                                          Function 0430B4F7 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b2fe21694b8c0c8b9792a1eeb3350e48acc400925bb093fa0e81b6cb77cec814
                                                                                                                                                                                                                                          • Instruction ID: 62dba8e2537e9a37f6d82122732c4ac14f04e1be9c3ba1bf56fb8c495aceb7f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2fe21694b8c0c8b9792a1eeb3350e48acc400925bb093fa0e81b6cb77cec814
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8541D4B59093C19FE7038B34D8A4695BF75EF46304F0A91DBD481CB1A3DE34A94AC7A2
                                                                                                                                                                                                                                          Function 0430F681 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 42fe26ab65ce674fc3071a7a7ed7d8e0ccd17131fcce85193d70e694ef8e67b5
                                                                                                                                                                                                                                          • Instruction ID: 3d7416f9e352113de507c3222c666a3e18732ea2ec77d88955f2eeae4ad19af5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42fe26ab65ce674fc3071a7a7ed7d8e0ccd17131fcce85193d70e694ef8e67b5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1341D0716042558FCB15DF38C894A7EBFFAEF89300B0495AEE086C72A2DA74ED45CB51
                                                                                                                                                                                                                                          Function 0430E7D7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 78f8473e5fd01f8867001a9b61a672385e800f7b65610e4449cd40fa240bdb45
                                                                                                                                                                                                                                          • Instruction ID: cb353b5f88b416a209f0179754820d411d6a779b5b68b39c5045887f098d8ef4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78f8473e5fd01f8867001a9b61a672385e800f7b65610e4449cd40fa240bdb45
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5419E31B001159BCB159F69D4A86AEB7F7AB8C710B209929D016EB390DF75AC058BA1
                                                                                                                                                                                                                                          Function 0430E1E0 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 82f066da8c5ccd02e85e68c165ede1f2eec3dd293ddaf2235087ad81fcc72caa
                                                                                                                                                                                                                                          • Instruction ID: 2997d98258d45b98231ca4d4b566a3ffe32027be8b05969e299dc65c2315e6ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82f066da8c5ccd02e85e68c165ede1f2eec3dd293ddaf2235087ad81fcc72caa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61413B75E002598FCB05CFA8D59099DBBF2FF89300F2995A9E805AB365DB30ED46CB50
                                                                                                                                                                                                                                          Function 04302268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb5f156e508e7eb718162487431e1478f0497a6851780024cd6df4cd1d156cdd
                                                                                                                                                                                                                                          • Instruction ID: beba4abb6855d82ca36d4279968a9997b1909458e4f9f95e5a6d7010938bf4dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb5f156e508e7eb718162487431e1478f0497a6851780024cd6df4cd1d156cdd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF411835B002189FCB54DF68D99499EBBB6FF89310B1481AAE905EB364DB31ED41CB90
                                                                                                                                                                                                                                          Function 0430F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1bf3783311c23f0e71c6d49ea2e689793598d6a163d1ca2a1cdab78e3f764990
                                                                                                                                                                                                                                          • Instruction ID: c9b18ed6c9dab864e2ae8151fdd119bce4b26d2521c45fcc06c8c1f19f76a7fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bf3783311c23f0e71c6d49ea2e689793598d6a163d1ca2a1cdab78e3f764990
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4141CB707042558FCB25DB28C888A7EBBFAEF89300B04956DE046C72A1DB75EC45CB51
                                                                                                                                                                                                                                          Function 0430B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a3716ef80c5c8aa6e177bca635bd0698bd610e57e164b4abb6ae86524f9f8a5b
                                                                                                                                                                                                                                          • Instruction ID: ea68acf41f009506bc3209c47c3950a382e8ea71d1bb1911e94873bf41ff5091
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3716ef80c5c8aa6e177bca635bd0698bd610e57e164b4abb6ae86524f9f8a5b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1319035B001058FDB14CFA9D850AAEF7AAEF88314B14D266D929D7755DB31FC118BA0
                                                                                                                                                                                                                                          Function 0430C558 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: afcacee2f1fdde70123870e270fa1cb4bb0ae33c7a4b6e876462ff8a95dcf455
                                                                                                                                                                                                                                          • Instruction ID: b7c60b3057f7b534e1207e06fdf020df6e762cae5d5ab67b445b99ff8c23a5a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afcacee2f1fdde70123870e270fa1cb4bb0ae33c7a4b6e876462ff8a95dcf455
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E3195752006018FD729CF25D598926FBF6EF88310B08EB69D4468B761DE35FC46CB80
                                                                                                                                                                                                                                          Function 027DD6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1731572782.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_27dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3337a8e734a3b2c00cde055ea6ac13a984dcf2bb2d25586bb6db07c0c09a9be7
                                                                                                                                                                                                                                          • Instruction ID: ac34ab2179322057f7423c645c78af080585bfda3420012b25ff097171ffd956
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3337a8e734a3b2c00cde055ea6ac13a984dcf2bb2d25586bb6db07c0c09a9be7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD2134B6504241EFDB25DF14D9C0F26BF76FB88324F24C5A9E9090B256C336D456CBA2
                                                                                                                                                                                                                                          Function 0430B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7999a7e8ef278e27e9883ed2bb9f83fdfc2914e82907c25fba4f4460fd1b4099
                                                                                                                                                                                                                                          • Instruction ID: c95ebf26997425114e72883d8bc5bb8a0b734712d702279c813bfde105318b0c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7999a7e8ef278e27e9883ed2bb9f83fdfc2914e82907c25fba4f4460fd1b4099
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6421C534B00209CFDB159FB5D86466AB7AAFB88301F00D176E90587280DF31B845DB91
                                                                                                                                                                                                                                          Function 0430B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9629997d929f3e732e17ffbb3eaa7e07f5569f6222bfc7ac6200ced90bf728dc
                                                                                                                                                                                                                                          • Instruction ID: 91b7c0c12b756afc12746dc022dd042cc9cda0e3370f0592125de26adcc46e88
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9629997d929f3e732e17ffbb3eaa7e07f5569f6222bfc7ac6200ced90bf728dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F1160757042004FEB14DA6DD8A0A2BF7EAEFC8260714E13B9959CB796EE71FC018394
                                                                                                                                                                                                                                          Function 04302258 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f2d08a147b2837c5931453291ab4e4aab083762f745d96d09d6db153bdca0120
                                                                                                                                                                                                                                          • Instruction ID: 17182e168b1c8cbd9ded7387b6639d5f0f4f8f9dc1609e074693960afce777ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2d08a147b2837c5931453291ab4e4aab083762f745d96d09d6db153bdca0120
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5210375A102199FCB44DF68D8849DEBBB2FF8C710B10826AE905EB364DB31A846CB50
                                                                                                                                                                                                                                          Function 0430A219 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0242213ddcd58cd2fe570fdd2f42e54ea7315001c5d469a3435fd25983170766
                                                                                                                                                                                                                                          • Instruction ID: 30eda5e243e2eeeecee2684b3145986c87bf9e3ca723312d0ebd163b32bec2c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0242213ddcd58cd2fe570fdd2f42e54ea7315001c5d469a3435fd25983170766
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F113A74B002099BDB08DF95D590BAEBBF6EB9C310F219169D805BB280DA71ED46CF90
                                                                                                                                                                                                                                          Function 04301378 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9f04f4aefab23c49cebbed192f398ef598da717ddd1e65af09759dcbb96fe172
                                                                                                                                                                                                                                          • Instruction ID: 0c95351878ba91200ec6bcf464e8fe7ac96d9f8b82baa4b2c0253b94479956de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f04f4aefab23c49cebbed192f398ef598da717ddd1e65af09759dcbb96fe172
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC2115B0D002098FDB10DFAAC881ADEFBF4FF58320F108429D919A7240C775A905CFA2
                                                                                                                                                                                                                                          Function 027DD69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1731572782.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_27dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4fe2663dfa9d4fd4df0699c675d515dd5cecdf76209536a613257ec6b013316d
                                                                                                                                                                                                                                          • Instruction ID: b0be06d39996b7ccbe9248d52e9f64717bef90c928928898a8af794ddf6195e9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fe2663dfa9d4fd4df0699c675d515dd5cecdf76209536a613257ec6b013316d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D11E676504280DFCB26CF10D9C4B16BF72FB84324F24C6E9D9494B656C33AD45ACBA2
                                                                                                                                                                                                                                          Function 043028F8 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c88b8a620067ed4bab0e75450547797331498aa651dcb347094dcf39dce72626
                                                                                                                                                                                                                                          • Instruction ID: 4dd44a97ea57d94d053dc0680f87e037d73923d192bf591d62a0c6c619202367
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c88b8a620067ed4bab0e75450547797331498aa651dcb347094dcf39dce72626
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF1160F680D7C55FD7028B30A8A92857FB0DF13248F1A44DBC0858B0A3E5695A4BC752
                                                                                                                                                                                                                                          Function 0430AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e6c08be8ddf3a979ccfc448d5b47a805e653d035d2c4d8e2515bab96fc699828
                                                                                                                                                                                                                                          • Instruction ID: da303d6563fb30ae98a82cb250ee608d4b60a7fb4c932dc2a75a83d866d54e67
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6c08be8ddf3a979ccfc448d5b47a805e653d035d2c4d8e2515bab96fc699828
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB21EA78E00209DFDB04EFA8D4909AEBBF2EF49314F509599D405AB350DB30AA40DF92
                                                                                                                                                                                                                                          Function 04301380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eed9dc5279d8b89664caa4bf0589bf3af264c5292ee49dcf7dcb82a68cfa3155
                                                                                                                                                                                                                                          • Instruction ID: 807e9dbdbe92d53604aaf30cf9c649cd1b8b9a9167d27ff14307866bc16745f4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eed9dc5279d8b89664caa4bf0589bf3af264c5292ee49dcf7dcb82a68cfa3155
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E61106B5D002498FDB10DFAAC581ADEFBF4FF48324F10841AD519A7240C775A905CFA1
                                                                                                                                                                                                                                          Function 04305752 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 551ac8171fcf8fb7778e7df0670d4d0d737974805295916b0871fca9793748b3
                                                                                                                                                                                                                                          • Instruction ID: dbf5b991b3dac3a2847945f4779c955e35c518a85345536cbc16831fe320c519
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 551ac8171fcf8fb7778e7df0670d4d0d737974805295916b0871fca9793748b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 391108B63007019FD315EB2CE490B9977E2EF88320B05997CD549CB665EF30E842CB84
                                                                                                                                                                                                                                          Function 027DD005 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1731572782.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_27dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 03346c54fe536c44231258db4eb0d4da01096c46c3df3f31d991bbd413dae664
                                                                                                                                                                                                                                          • Instruction ID: c318c41b3d6c67873994068e79f5a1e4394a13ba02d9464eeaa8f8c63c0635c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03346c54fe536c44231258db4eb0d4da01096c46c3df3f31d991bbd413dae664
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED016D7240D3C05FD7224B258884752BFB4DF43224F1981DBE9888F293C2685C45C772
                                                                                                                                                                                                                                          Function 027DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1731572782.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_27dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ba218cead81ea7f4a9d16554e3f19afbbbfd24919fd7b2f66400df398de10dd1
                                                                                                                                                                                                                                          • Instruction ID: 31692289683386f3898f52a17e837dcb1453476044cfdadf858ea403313f5787
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba218cead81ea7f4a9d16554e3f19afbbbfd24919fd7b2f66400df398de10dd1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D0126B2508300AAE7308E29CDC4B67BFA8DFC1324F58C51AED485B282C7789845CAB1
                                                                                                                                                                                                                                          Function 0430CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c10b5818cf687baa03c0e6ff28889c14d1aaa5beae61e551a1dd464ebc281111
                                                                                                                                                                                                                                          • Instruction ID: 4ad26f5beb714adb236507f42b383591e2646be37750be8ab6c9973bcc7fc619
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c10b5818cf687baa03c0e6ff28889c14d1aaa5beae61e551a1dd464ebc281111
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84F096363041244F97085A5EFC9866FB7E9FBC4565314523AE509C7390DBA1DC028790
                                                                                                                                                                                                                                          Function 0430B070 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 32607313dabdd58f5e418331b4a8e9d4a8e45734e84a63c027321197baa3b1d9
                                                                                                                                                                                                                                          • Instruction ID: 054de6a411a4dcc486d9d7f010d8dd7632e0342e9e33263039857de6842d3fd5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32607313dabdd58f5e418331b4a8e9d4a8e45734e84a63c027321197baa3b1d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6EF081757001019BDB14DAA99890A5EFBAAEF88250B04D236D92CC7354DB35E806C690
                                                                                                                                                                                                                                          Function 0430B920 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e57c80c6ff5a5b16b22e81459bf103c9e7cfed7f7e00e486e7375b731fb11f0d
                                                                                                                                                                                                                                          • Instruction ID: 9bd625ab20b8f847d8debb304f71aacc92189b987fa8a99e098a5e2f56a74b52
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e57c80c6ff5a5b16b22e81459bf103c9e7cfed7f7e00e486e7375b731fb11f0d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36018CB17042005FE754CA6DD8A0B6ABBE9DF88364B05953AA919DB792EA31FC018790
                                                                                                                                                                                                                                          Function 043056C2 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 614ddd99098443757d43f05e95bc74d65d5b7ffb1a4069a60a838c51842698cc
                                                                                                                                                                                                                                          • Instruction ID: bef1ab576575c439b52c158b197b88395173f31942e3d39fd976ca63e37e0ab1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 614ddd99098443757d43f05e95bc74d65d5b7ffb1a4069a60a838c51842698cc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B012BB6300301BFEB099B78E48426D77E7EFC4314B80696CD10A9B250DF71AC468F95
                                                                                                                                                                                                                                          Function 04304F3E Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c0f1777ade67f2116f5629d1a76a4ba9cf9722cd3f7f902cf0e8713c66919057
                                                                                                                                                                                                                                          • Instruction ID: 9299fe5ee33225c902b6e3533e6d42f101f951fc7be504ef1dc71d8f1b3a0c48
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0f1777ade67f2116f5629d1a76a4ba9cf9722cd3f7f902cf0e8713c66919057
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA010C71700205CFCB05DF68D88099ABBA2EF85318B149AA9E4199F216DB31ED169FD1
                                                                                                                                                                                                                                          Function 04306769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8e08540664ae69af0987580dc6ebcfe64032012a4bd19eb0d886d4771bcc64d5
                                                                                                                                                                                                                                          • Instruction ID: 3a739b2090b9fea713f6f2183f1da54ce460abba7fe27fb2d5a95608c2fcde37
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e08540664ae69af0987580dc6ebcfe64032012a4bd19eb0d886d4771bcc64d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11017C36A00501DBDB10CB64C69166DF3A6FB89725B50E739C0169B388DB31ED558B80
                                                                                                                                                                                                                                          Function 0430E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ee64e34e535950b168e7116386671c64c528658c049ae223324ec3f5903de841
                                                                                                                                                                                                                                          • Instruction ID: f50aa2eb565fc126b47c26e7da9dc4d0c87695ba686803b17c9790eb5dd81faa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee64e34e535950b168e7116386671c64c528658c049ae223324ec3f5903de841
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A01D6367103108BE7019A9898613BEBB63EBC8750F20E55AE6056B380DF70BC098BC0
                                                                                                                                                                                                                                          Function 0430E36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e56ad2ec1286f698c11d3a18f8deca841d26dcc87526d751accfd6a8f6691b71
                                                                                                                                                                                                                                          • Instruction ID: f9852fd2fe69a590b6481d767472e78513f4fbc253f085f8b296706b6915fcc3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e56ad2ec1286f698c11d3a18f8deca841d26dcc87526d751accfd6a8f6691b71
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04F0CD367103104BE70596589C6137D7773FBC8650F55E55AD5056B340DF70BC0687D0
                                                                                                                                                                                                                                          Function 043067E2 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5786053a55458bfd5f29b0dc8c534010d6798b5373cfd92f104f59088bf31164
                                                                                                                                                                                                                                          • Instruction ID: e50ee1e88c73c652389c6f96fed16c203e7b7a7c10f88ba613da17a36bcbf9f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5786053a55458bfd5f29b0dc8c534010d6798b5373cfd92f104f59088bf31164
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 730121B4E00208EFDB45EFA8D59569DBBF6EF88204F509599D508BB350EE30AE059F81
                                                                                                                                                                                                                                          Function 0430CB7F Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 188b66d36b8f03022d754601d3b603861097440ddf6ffa8457dd8a0ba81ac5cb
                                                                                                                                                                                                                                          • Instruction ID: 7a38992beaa84a6e05227af85e5410cc9216fa89cf829e36bcdf54fc0c218a1c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 188b66d36b8f03022d754601d3b603861097440ddf6ffa8457dd8a0ba81ac5cb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CF0BE767041101FD3088A6EE8A4B6BB7F9EB84664B00026AE208C73A0DAA4CC02CB80
                                                                                                                                                                                                                                          Function 043056D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb734e6622cd7b89b3ebce90d4cff6c7a8ae76467b7727c3cd342bb1e22c1324
                                                                                                                                                                                                                                          • Instruction ID: 93ab866cba0d88b7bdb8aefdb2c7f2b6395f4d3061c66d0418ae0f170cfd7fcf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb734e6622cd7b89b3ebce90d4cff6c7a8ae76467b7727c3cd342bb1e22c1324
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2F0FC713002057BDB19ABB9D48456E7BE7EBC4314780692CE10E9B740CF71BC494BE1
                                                                                                                                                                                                                                          Function 0430AF00 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 89205941e50ab2b1740e1b5d2106bbc0c8f9e48add512a390e9a6da9c7b6c1b2
                                                                                                                                                                                                                                          • Instruction ID: fb493b6e9dcf5fc19d38c87238c0523463b422b95f59a49aaaf42f827d04a981
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89205941e50ab2b1740e1b5d2106bbc0c8f9e48add512a390e9a6da9c7b6c1b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3F0ECF27042051BD7145A6EACD499BA7EDEFD8264715D13AE51DC7380FE60EC0647A0
                                                                                                                                                                                                                                          Function 043067F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8a5c81e7f4a603181bfa0d13d9451b7aeccc8b9488c643156956e79ef4670b2d
                                                                                                                                                                                                                                          • Instruction ID: 3d584377359ffee3b85624de98603c1773220457955ca99219eff5586a50c891
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a5c81e7f4a603181bfa0d13d9451b7aeccc8b9488c643156956e79ef4670b2d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F01FF74E00208EFDB45EFA8D59559DBBF6EF88204B50A599D408B7350DE30AE059F81
                                                                                                                                                                                                                                          Function 043046A0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 00fd92ab0c0702eaa65ae6212e146779d7935db2b6008cef03ba966bdb1420d6
                                                                                                                                                                                                                                          • Instruction ID: 24ec323ec87039bcaebf6a1c8adb12e931b889a437e56d2d624a2818f37c1b9c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00fd92ab0c0702eaa65ae6212e146779d7935db2b6008cef03ba966bdb1420d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2AF030B4D0920C9FDB04DFA8E45849D7BB5EB55300F0085EAE859D7361EE311E55DB81
                                                                                                                                                                                                                                          Function 0430EA75 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e933cfc7b953772a289b5420dcebce22cf5cec8407c907338e47243aa522dff1
                                                                                                                                                                                                                                          • Instruction ID: b30fb0ec939b7baf515cb0c2939411fb2343304eccca8924d5d58620625b4ee1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e933cfc7b953772a289b5420dcebce22cf5cec8407c907338e47243aa522dff1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2F0E9353043514FCB05576CA49052DBBFBABCD51036600BAD109C73A6DE269C058712
                                                                                                                                                                                                                                          Function 043068D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8b241d48d8c7644bfe55de2f7fa2562389ff4ec414a207b67deae5b4e40884dc
                                                                                                                                                                                                                                          • Instruction ID: 5e0cb8e68244373ce5e9e2b59d2c153e51e0b0655fe28f46f3b7035d77e646e1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b241d48d8c7644bfe55de2f7fa2562389ff4ec414a207b67deae5b4e40884dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6F0BE76A04105AFC712CF69E440A8ABFF5EF89310B0981A6E648CB252E731E911CB90
                                                                                                                                                                                                                                          Function 04304551 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 252c91a43e91c9f010caa76399deae1debd0e7dc949dd00717095b089c7d505c
                                                                                                                                                                                                                                          • Instruction ID: af5ea6576a467f16ede8266d63d16a77a779456934db6c2d43ebe29f2b08eb3f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 252c91a43e91c9f010caa76399deae1debd0e7dc949dd00717095b089c7d505c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6BF027727009002BD719A668A49051F7B96DBD4310700597DE21C9B280DE20ED058BC5
                                                                                                                                                                                                                                          Function 0430C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9211b71859c8629a237c311313556a4f89721caea4c5ada32223008e32f4259b
                                                                                                                                                                                                                                          • Instruction ID: 86c466101067a5dec28fb19e685a0136f2a1bcdfc875b4eea4e8a7b0ad160e61
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9211b71859c8629a237c311313556a4f89721caea4c5ada32223008e32f4259b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4F0E5353102164BD718DA7AD850466FBDAAFC82A0708F2B5D909CB360EE71DC42C7C0
                                                                                                                                                                                                                                          Function 043057A8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5a7c64e578cdb29b27252b53eb90c9b48dd09c2cfd3f2555ff2ca43b0db15f94
                                                                                                                                                                                                                                          • Instruction ID: f163abf7b67b31c687ef30c4da31e16825c90290270be01e10bcebfd4babe9d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a7c64e578cdb29b27252b53eb90c9b48dd09c2cfd3f2555ff2ca43b0db15f94
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54F0EC703003006BD714EA3CD890A5A3BDADFCA324B04986AE248CB261EE20EC02DB95
                                                                                                                                                                                                                                          Function 0430C4C9 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 85af50b5ba6dafc174fdae2d772a64d91d67770d1cc26e9518efc6ad4ad2b088
                                                                                                                                                                                                                                          • Instruction ID: 2096cdad72034926b171929d8e6749303b78553773a9b2b4c446ac7e0a2cde90
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85af50b5ba6dafc174fdae2d772a64d91d67770d1cc26e9518efc6ad4ad2b088
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01F05C3630070067C32B5A25D8907AB77A5CFC1750F017B2EE98987194ED61F8019791
                                                                                                                                                                                                                                          Function 043045B8 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8a8cfe1be2b867ca9a2486f38feab95db38573f3376f4dd0b84010d593342124
                                                                                                                                                                                                                                          • Instruction ID: 49942b27a0a19e2a19d85deea6a636918e37b220f2d91897edbcea571b6b7ce9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a8cfe1be2b867ca9a2486f38feab95db38573f3376f4dd0b84010d593342124
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CF0E2703002018FD714EA7CE454A6E3BE2DFC9300B445969E249CB660EB20ED429B41
                                                                                                                                                                                                                                          Function 04306038 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6dccbafa6479eb0df8aa0b9262707fadb5958cdd953d0bf18f0e0a4ac3248f49
                                                                                                                                                                                                                                          • Instruction ID: ad5ee33218f047198f01b1b63e3370ea27b014d67ce589d1379aab70cb7b64c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6dccbafa6479eb0df8aa0b9262707fadb5958cdd953d0bf18f0e0a4ac3248f49
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74F0F675128B909BC3299B19E44425BBBE4EF81708F006C1DD1C646A91DBF6A849C785
                                                                                                                                                                                                                                          Function 04304560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d3d56a51a3777541b0e8d3a3da70634e9ef4c18027401182a00eb3df80f79c25
                                                                                                                                                                                                                                          • Instruction ID: 8568b9f63f5ebf3df9210d8cdd3e1f97a9a7dc02900f7352f14138f31fd95fee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3d56a51a3777541b0e8d3a3da70634e9ef4c18027401182a00eb3df80f79c25
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71E02B313009012BD615A66DA45041F76DBDBC4360340A97CE11D97780DF20FD454BD5
                                                                                                                                                                                                                                          Function 043038B0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 998deb985e501689ee52b05818e0873e9093d32e3d05957c7ec324243bc210db
                                                                                                                                                                                                                                          • Instruction ID: accb654af626996cf62767271eddf76b2fa1c5aa15418fd95113200ff0840102
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 998deb985e501689ee52b05818e0873e9093d32e3d05957c7ec324243bc210db
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9E0D861B1825C1BFB28297955603EF1FC94F86718F01D37ACD91CAAC6E9D4E84183D1
                                                                                                                                                                                                                                          Function 0430AB90 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a36de7727923f2d97371b2f44a9de1110b10d04ad3412b1351a1f81a47d70209
                                                                                                                                                                                                                                          • Instruction ID: 38692ac40186a1ff70f72659d6b5a3b7505cbcc320bfbbbfcd90a4c8918103ea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a36de7727923f2d97371b2f44a9de1110b10d04ad3412b1351a1f81a47d70209
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ABE09B723042105FC7185B69B8945297BA9EB89361B1591BAE54AC73A1ED25CC028740
                                                                                                                                                                                                                                          Function 043046C8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 862a557285b37da4645dbcb95a0e129487eb687e05fce3025d7cd39cc20e64d4
                                                                                                                                                                                                                                          • Instruction ID: ec72ea28665ffe06cf11205cab1d409be4f6cd0953c16c399ecbf54aad7302ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 862a557285b37da4645dbcb95a0e129487eb687e05fce3025d7cd39cc20e64d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0F0A0B5D09248AFCB44EFB8E49559DBFB0EB55300F0080EAD458D7351EA344A068F81
                                                                                                                                                                                                                                          Function 04306880 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53ba751e53dfa2801fa34adea9d753f1f2285ae348ae2bac4f00ea215105e887
                                                                                                                                                                                                                                          • Instruction ID: cb57e7d48d63351d756ac0ed20645252bf3ddcdb5d614bc4a392a3e4a1deec98
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53ba751e53dfa2801fa34adea9d753f1f2285ae348ae2bac4f00ea215105e887
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3F08CE202D2916FC35286389820646BFA5EB5B201F0A46E7D280CA143D5289882C382
                                                                                                                                                                                                                                          Function 043036A9 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 54d6ad62c2f04e2b56e86fd853468af9ecb2b06745d459ec10373cd535dcb497
                                                                                                                                                                                                                                          • Instruction ID: ea1c02207dca1bb6d24c7f2da391416bb6759cdb16f2294a61d9389e13763a60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54d6ad62c2f04e2b56e86fd853468af9ecb2b06745d459ec10373cd535dcb497
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7FE0EDB2F1511AAF9B44DFA995502EEBBF49B48150B11856AC91AE7240F631D6028BD0
                                                                                                                                                                                                                                          Function 043039E0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 10ce44a08b2329c79f769ca149ad3b9e19cb593aa28358b5b24f0791f2583e28
                                                                                                                                                                                                                                          • Instruction ID: cf44ad3957a5b7c9916241cb28736ac918dd68bc5861d9fc589445d2c0f8787c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10ce44a08b2329c79f769ca149ad3b9e19cb593aa28358b5b24f0791f2583e28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26E04F3624021CBBEF052A95A824BEA7F5AEF483B1F50D126FD5C451A0CA3699A4E790
                                                                                                                                                                                                                                          Function 043036B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction ID: 710862f467038fcd18d70d70f023f5f218985a88cf8b9917f872965019f5ed2c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4E01270F0121ADF9B40DFA999502EEBBF8AF48140B10D669C91AE7340F331AA01CBD0
                                                                                                                                                                                                                                          Function 04303CC0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ee3af6bbdf7c2876ac06a1e7d94181649795fe9fdc2051b55f22bb8177851f30
                                                                                                                                                                                                                                          • Instruction ID: 29eeb9053f5f3901a2e82ca8185736c2b99a2bb6822684eaec120edf6cbb9be8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee3af6bbdf7c2876ac06a1e7d94181649795fe9fdc2051b55f22bb8177851f30
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDE07D367000610B9F01195C301467E279BCBC4B22708116FD20DD33C4CF329C010781
                                                                                                                                                                                                                                          Function 0430C678 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b787c07bb9094c1f1fe7d4c82ef6bb3f4fd78b64863d720eecadf839311cdb14
                                                                                                                                                                                                                                          • Instruction ID: ad832326d45e852aecb363deaa49e4eaeefdff6837c0cdf12b1803cfb25f3336
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b787c07bb9094c1f1fe7d4c82ef6bb3f4fd78b64863d720eecadf839311cdb14
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14E0C27271020663D31A5A359550296FFA6EF88290F0DE772CE088E346EF31C883C3C0
                                                                                                                                                                                                                                          Function 04306AAF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ea538edc9a076fdcd77165173d3ea2a79fa8f7f5a8806c6ab31ec947b94f1ce
                                                                                                                                                                                                                                          • Instruction ID: 4c87bba0c4f39abdf3c6045c49a53e6624ebbebeae890a36b255a4c9272060b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ea538edc9a076fdcd77165173d3ea2a79fa8f7f5a8806c6ab31ec947b94f1ce
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEE092B9304140DFD710CF68D490E56BBE2EF55301B0580A9D948CF392E721E916CB00
                                                                                                                                                                                                                                          Function 04303CFF Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2ac704eab14d9d31329aae1351eee5dd0ecfd8a8d9c994b45374fd19fa7081f7
                                                                                                                                                                                                                                          • Instruction ID: f205d7f714599d4f8aa3309c48900eb848736ff290acded406900685346c8bb5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ac704eab14d9d31329aae1351eee5dd0ecfd8a8d9c994b45374fd19fa7081f7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05E092B0905688AFCB01CF74A89058D7FB5DB09200B1054EED408E7252E9315E019742
                                                                                                                                                                                                                                          Function 0430C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aa20e2c05f45b96c3e03799689b447d4e71b8512eb6df40198ee184ef5c49dff
                                                                                                                                                                                                                                          • Instruction ID: 3765de0e650e85a6c89c700da7f763f685c8702fdf48e1655e6b5126f1b07179
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa20e2c05f45b96c3e03799689b447d4e71b8512eb6df40198ee184ef5c49dff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7E0C23120030857C6147758E04956EBBEAFBC9764B00242DE44A83700CEB5BC428FD5
                                                                                                                                                                                                                                          Function 0430C1D0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 47adc8b91d4074b0bd463631961c7676ed33a373f201dba37221d3fef8e4783a
                                                                                                                                                                                                                                          • Instruction ID: 843b99c50894e96993aa225115f9ee24149a7f2f55268e2d8e32c803e1e48f46
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47adc8b91d4074b0bd463631961c7676ed33a373f201dba37221d3fef8e4783a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3E0DF767003049BC708AB28E04522D7BDBEBC8359F01282DE68AC3784DE38A842CF84
                                                                                                                                                                                                                                          Function 04306AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d1780621d07004a4eb7cb24b54d6d822cfc9c24b690e471ea2978fd76a2f9a69
                                                                                                                                                                                                                                          • Instruction ID: cbad02efebf12ef7b789d7eced51c33dba2b16e19a6e97ac281a9a319485aa94
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1780621d07004a4eb7cb24b54d6d822cfc9c24b690e471ea2978fd76a2f9a69
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7E0B6B52042049F9314DF5CD880D95BBE9AF59254355819AE848CB362D722ED12CB90
                                                                                                                                                                                                                                          Function 04303CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb72020f8fc9e14cd2d33fb2a8446164b84af71973e6ba5d1cfe7679e1cd1511
                                                                                                                                                                                                                                          • Instruction ID: ce4dd70e483d2db5a1260c7bf9499d0643a0a0241d3ec67fdd83c0191ec89095
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb72020f8fc9e14cd2d33fb2a8446164b84af71973e6ba5d1cfe7679e1cd1511
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAD0A73A700125171E05259E741853E77AFCBC9F61308112EEA0EE3388CF769C0107D5
                                                                                                                                                                                                                                          Function 043046D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 83a95e05ba8ba3fa45eb58f4ba59e55570b68ea110bb4210eed52889e990fc73
                                                                                                                                                                                                                                          • Instruction ID: 3c08a5d547300f2b5da4ae48e2af9f237dafd5e0aed06b1c04d7182dff4356b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83a95e05ba8ba3fa45eb58f4ba59e55570b68ea110bb4210eed52889e990fc73
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35E0B674E0820CAFCF44EFE8D45459DBBF9EB48300F0085AAE819E7350EA355A459F81
                                                                                                                                                                                                                                          Function 043017F0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: db4bfe8d5c4555c3c4f0b743a75e24b38fac97de53775884b84a35894cce662f
                                                                                                                                                                                                                                          • Instruction ID: 964fef51d39d44970f24d06940ac14cf52a626e232a47c048c56fe24c1e5128a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db4bfe8d5c4555c3c4f0b743a75e24b38fac97de53775884b84a35894cce662f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43D02E372492908FD309D760F8A7099BFB3EB063003088007E802CB9AACE3904A2C785
                                                                                                                                                                                                                                          Function 04303938 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a781e0a7c3b696f4b9ace85554ea4ae49b709c64aea7e29bb5e2186135bc43e7
                                                                                                                                                                                                                                          • Instruction ID: 22384e9cb4e007aa1fcb9dff33f53e0fa7114af73c081b3b265d40b941e38976
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a781e0a7c3b696f4b9ace85554ea4ae49b709c64aea7e29bb5e2186135bc43e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7D0A752F5E3543BC71912BC342435E6B688F42520F0295E7DE0CDB282D8688C004381
                                                                                                                                                                                                                                          Function 04303D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e1f81de189a9caf99460fdbaa83ec536765358499a2da5732882269c48187687
                                                                                                                                                                                                                                          • Instruction ID: a6f2726279f0d91ec993b98c0219220467f53b830e5aaaa962e9bf2964a23feb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1f81de189a9caf99460fdbaa83ec536765358499a2da5732882269c48187687
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29D01770A11208EBCB04DFB8E95155EBBFAEB48204B1059E9E408E3241EE316E04AB91
                                                                                                                                                                                                                                          Function 0430E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 66635220d6c7ecd1a84e211f72ccddd63ba8efb31442ed443ffa35d434f90cb5
                                                                                                                                                                                                                                          • Instruction ID: e56cbd2212df4896f448a4413ec105e00106a07674d52fcdecd8b6ca3a303f83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66635220d6c7ecd1a84e211f72ccddd63ba8efb31442ed443ffa35d434f90cb5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AE0123074460ECBDB149FE0C6667AEBB75BB14305F20DD59D401E6284DB745546CF40
                                                                                                                                                                                                                                          Function 04302968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9f18545d83bcdbc8463873ca3d7dea23bb6d2717cd40ceafe4abd7e108bdf3de
                                                                                                                                                                                                                                          • Instruction ID: 9732b32bbb3913e3bcfbc29eba24680526274a5d904a7efdff8b89d8533d4110
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f18545d83bcdbc8463873ca3d7dea23bb6d2717cd40ceafe4abd7e108bdf3de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52D05E75911209DFCF00DFB4E95695DFBF9EB44200B2086A6E404E3224EE305E44AB81
                                                                                                                                                                                                                                          Function 04303C89 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: db8cbc850bea2ca22c0a7d2d2435638c47b4000deaf7ac185ef7fcf306a3b9a2
                                                                                                                                                                                                                                          • Instruction ID: a45cd56ab88e5d8b96fb167c61f51fadbfb21ef20816e6aea379158080f12c02
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db8cbc850bea2ca22c0a7d2d2435638c47b4000deaf7ac185ef7fcf306a3b9a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06D022B07387408BCF0C8A30A0353BA7B08C348208F0098BEDA0BC36C1FA38D8125A81
                                                                                                                                                                                                                                          Function 04300440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a10bd301b5ad6605fc997e29a640815d0c4df1a66762ccd5238b8c21da26b78c
                                                                                                                                                                                                                                          • Instruction ID: d984c521029a4c157b1155672d1ba55bf347276f3ea6f6739662dd936d71fc62
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a10bd301b5ad6605fc997e29a640815d0c4df1a66762ccd5238b8c21da26b78c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BCD012F7679646AFE3054A048C865F67770FB713063948249C48491043D33AB127D739
                                                                                                                                                                                                                                          Function 0430A3A8 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ec4049e581e9a7fca1cf177ef03dfa0ef7b751f042adbd74b5f33982986ea7a
                                                                                                                                                                                                                                          • Instruction ID: 43ec927d89b4d2f3359c817add196466826235d3ba9d62e262f18f071e6db560
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ec4049e581e9a7fca1cf177ef03dfa0ef7b751f042adbd74b5f33982986ea7a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89D012357053199BCB055A55D910855BB2AAF95668328C0ECD94C0F755CA33FC43CBD0
                                                                                                                                                                                                                                          Function 04303C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2922688e2781243d41a18fbd1bcfadbdd3d5c20420b25348debb814adeb54260
                                                                                                                                                                                                                                          • Instruction ID: 6b17a1ddc2134e70ab2b276edcab6b0fc6745c39fdc0e7b3ee7418f1aab65cd0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2922688e2781243d41a18fbd1bcfadbdd3d5c20420b25348debb814adeb54260
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AFD0C9303146058BCF48DA64E575535B799DB8865870498ADA80BC7381EF36FC129644
                                                                                                                                                                                                                                          Function 043046B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c79fa68d7d340f9b45551ce131d38b0342c3985d4382ecf6e25c640449f9bf56
                                                                                                                                                                                                                                          • Instruction ID: e3eb86cc073ace85731e977410d007560c408343c356bef7b11c022dc83bd489
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c79fa68d7d340f9b45551ce131d38b0342c3985d4382ecf6e25c640449f9bf56
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3B092B090530CAF8620DA99980185ABBACDB1A210B0001DAE91887320D972A91066D1
                                                                                                                                                                                                                                          Function 0430CAF0 Relevance: .0, Instructions: 3COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dfa9eef8fae8e96015ce724d49d6f9c1d93d69236d8a070305d069eaa7af6418
                                                                                                                                                                                                                                          • Instruction ID: 2a697bf5508ab2018e299309f136258ed6e9530cf74564d2ea99c8865074e7b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dfa9eef8fae8e96015ce724d49d6f9c1d93d69236d8a070305d069eaa7af6418
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 0430F7E8 Relevance: 8.9, Strings: 7, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$,jq$,jq$Hjq$`]kq$`]kq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-3663913273
                                                                                                                                                                                                                                          • Opcode ID: bd85137fbc457a26f9e933464fe02ba92d1d38b38d712f66aac6fe9700ee31e4
                                                                                                                                                                                                                                          • Instruction ID: e6f829583e6b032e5aefa0bd1658f0d2c62caf8e40a6ec636e3d157b6590261f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd85137fbc457a26f9e933464fe02ba92d1d38b38d712f66aac6fe9700ee31e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0410635B041248FDB38AB2CA46446E37E6EFCA72532455EAD106DB3D1DE64EC018799
                                                                                                                                                                                                                                          Function 0430C2D0 Relevance: 6.4, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$(jq$(jq$Xjq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-478771143
                                                                                                                                                                                                                                          • Opcode ID: 366a8fa56d6ba2928ccc9a045475e42de7a4c6422e854689265619c914824243
                                                                                                                                                                                                                                          • Instruction ID: 974e0fff11ea73d29ef1bb2f2198eb62e01ccec0ca7f04f9422ffb16aab4a63e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 366a8fa56d6ba2928ccc9a045475e42de7a4c6422e854689265619c914824243
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD515A313087504FD329AB38D49066E7BF7EF85350B1999EAD546CB7A2DE24EC06C781
                                                                                                                                                                                                                                          Function 04300E8C Relevance: 6.4, Strings: 5, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$ParseExpression$get_Operation$teFSharpFuncCall$tion
                                                                                                                                                                                                                                          • API String ID: 0-2014644958
                                                                                                                                                                                                                                          • Opcode ID: 94979fe9cfe10c72fa6567ad2c8b1d7616fa1a64f3f8be246f37608792900230
                                                                                                                                                                                                                                          • Instruction ID: 2800a82b45b9915cfb53df656c73a0cc3232ef6c84b95e71e354869536d6456b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94979fe9cfe10c72fa6567ad2c8b1d7616fa1a64f3f8be246f37608792900230
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48411875B001155BEB08ABA898B876F77A7DFC8311F54D569D90AEB3C0CE35AC068790
                                                                                                                                                                                                                                          Function 0430F130 Relevance: 5.1, Strings: 4, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq$,jq$,jq$reateContract
                                                                                                                                                                                                                                          • API String ID: 0-2118333892
                                                                                                                                                                                                                                          • Opcode ID: 5d1e27f3e0576f03afb24d526c8d620736bb4a46fd8f9a5ac8a61226d5d88fa1
                                                                                                                                                                                                                                          • Instruction ID: d5429bfa1a607277cc9d211d6eae34ad1d22046be79026dd553a62f13b41b4da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d1e27f3e0576f03afb24d526c8d620736bb4a46fd8f9a5ac8a61226d5d88fa1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C418E787002158FC728DF68C994A6EB7B6FFC8300B25C1A9D5169B3A5DB70EC02CB61
                                                                                                                                                                                                                                          Function 04300D4C Relevance: 5.1, Strings: 4, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1730985338.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4300000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ParentToken$Properties$dProperties$rties
                                                                                                                                                                                                                                          • API String ID: 0-655320225
                                                                                                                                                                                                                                          • Opcode ID: 75cc98f49a567d41764c741d38c21bed31ebd84d9d5ac303f6d75e3a89f05f38
                                                                                                                                                                                                                                          • Instruction ID: 530613bf0dc05ebe1a25a0b8597f830a1e80289b9ae30bd2703f497067a7d314
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75cc98f49a567d41764c741d38c21bed31ebd84d9d5ac303f6d75e3a89f05f38
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 651199B13042601BD704977C58A03AE3FBACFC5721F0048AAF609DF281DE25AC0183E1

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 073650B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 89bbd5ae3a11b13dc63fb506e72a5e8869998c85ce280d2200f57b61dc8b0542
                                                                                                                                                                                                                                          • Instruction ID: 41b261edfab848af23d53e803676f035f8e6c18b248da2056fe0dd3f96d5416c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89bbd5ae3a11b13dc63fb506e72a5e8869998c85ce280d2200f57b61dc8b0542
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38B12EB0E1021ACFEB14CFA9C98979DBBF2AF88714F24C139D419E7258EB749855CB41
                                                                                                                                                                                                                                          Function 073659A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8b93f55ebb69ca2d0afc200281ae79494b0adfe364cd5da8bf6d75e1128f1953
                                                                                                                                                                                                                                          • Instruction ID: 18c292f0fb487d612afae08dfe12a0ab49647dc243b755d738d4cb0e172f92f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b93f55ebb69ca2d0afc200281ae79494b0adfe364cd5da8bf6d75e1128f1953
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FB142B0E1020ACFEB10CFA9C9857ADBBF2AF88314F14C539D459E7258EB749855CB91
                                                                                                                                                                                                                                          Function 07361630 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $fq$$fq
                                                                                                                                                                                                                                          • API String ID: 0-2537786760
                                                                                                                                                                                                                                          • Opcode ID: 427f545312cd89490664ac5f9ca18b1956c1caeab128cdf2b4db625c687aafe3
                                                                                                                                                                                                                                          • Instruction ID: 362c848942300004d4c0b6fa33759099b6fab98f6a36ec8d42ce1402ae36bb59
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 427f545312cd89490664ac5f9ca18b1956c1caeab128cdf2b4db625c687aafe3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE51C1B5B002099FEB15DF78D8546AEBBF6FFC9350B14816AD808DB368DA309D02D791
                                                                                                                                                                                                                                          Function 07361080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq
                                                                                                                                                                                                                                          • API String ID: 0-3225323518
                                                                                                                                                                                                                                          • Opcode ID: 216a97a4db7f3de70d778f8514bf538a02e1ed2346f2347eab0c44fdb4461439
                                                                                                                                                                                                                                          • Instruction ID: 8cb321635163d5ae8c43bb9872b488a8943eaf0899ee695da2f46c7cd477a888
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 216a97a4db7f3de70d778f8514bf538a02e1ed2346f2347eab0c44fdb4461439
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0771A5B5B10119DFEB049BB5C858A6E7BA7EFC8200F14C029D50ADB3A4DE75DC429B51
                                                                                                                                                                                                                                          Function 07360C1C Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (jq
                                                                                                                                                                                                                                          • API String ID: 0-3225323518
                                                                                                                                                                                                                                          • Opcode ID: f595875afe4bf8ae8cdf3dfad096f85184f9d1f42959d259125cc8d66eafdd3b
                                                                                                                                                                                                                                          • Instruction ID: 47aac02d79c636d96c49768f09a2f34bccef895f2ee755771c0f12af64ca960b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f595875afe4bf8ae8cdf3dfad096f85184f9d1f42959d259125cc8d66eafdd3b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36510675B042199FEB08DB64D4687AE7FB2EFC9310F14C469D409E7385CE785C458B91
                                                                                                                                                                                                                                          Function 073650AD Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5639844478086b32fadce9eabc61352e13b7775cadce64ff82d35a5c62ff0c2f
                                                                                                                                                                                                                                          • Instruction ID: 9319f06ca9a0adf58fce47e486315733d111cc1dd3cdf8d314a2ec240ea40c41
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5639844478086b32fadce9eabc61352e13b7775cadce64ff82d35a5c62ff0c2f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0C14DB0E1021ACFEF10CFA9D9897EDBBF1AF48314F248139D418A7258EB749855CB91
                                                                                                                                                                                                                                          Function 0736599C Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: efbcc06fb52b7b85717c5baaa5489348b56321d8259db3c5e4f4e09c94631cdb
                                                                                                                                                                                                                                          • Instruction ID: a6cd71ec8f4e40746657ba6144d606be3ab821be5a7c9298ed67f4fe92fa271a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efbcc06fb52b7b85717c5baaa5489348b56321d8259db3c5e4f4e09c94631cdb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AFB13EB0E1021ACFEB10CFA8C98979DBBF1AF88314F148139D859E7258EB749855CB91
                                                                                                                                                                                                                                          Function 07362268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 61723448dd3749af16852c5bac600e6efea699982eb7e8dc17c9cb3301b1d125
                                                                                                                                                                                                                                          • Instruction ID: da1b1d04c8990e88eebfa3ee4c88b82dd69c051a85ea307740bf915e5cde3106
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61723448dd3749af16852c5bac600e6efea699982eb7e8dc17c9cb3301b1d125
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27413A75B00219DFDB44DF68D9849AEBBB2FF88310B108169E909EB364DB31EC41CB90
                                                                                                                                                                                                                                          Function 07361072 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3631dcf84f98b0d6e2d88cf801b6f9d4d253c44f5e618cc872fb8f4527656e40
                                                                                                                                                                                                                                          • Instruction ID: 3bc1df3082a1b55d4942b5d1109684f67af01b224baf82b63fb36a8bc7393aeb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3631dcf84f98b0d6e2d88cf801b6f9d4d253c44f5e618cc872fb8f4527656e40
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B11DAF2B1021897EB14DA7598546FE7BEAEFC8151F04C436D90AD7385DEB4CD028791
                                                                                                                                                                                                                                          Function 07362B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ff0ebf38bb548e0080efcbe79dbc1b80de2d1bed408adc92dd3f598d2f69f08
                                                                                                                                                                                                                                          • Instruction ID: 00093f5d66f67e79a2f749612db29dcd425293cc34c126e2d8ebf8d2a0426e2a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ff0ebf38bb548e0080efcbe79dbc1b80de2d1bed408adc92dd3f598d2f69f08
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF1194B5B005198BDB59BB7C54241BF7AE6ABC52117014879C50ADB384EF34DD028BD6
                                                                                                                                                                                                                                          Function 07362258 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 55d43ad32cff79878f68d670af2edf6e0f28ec2e3c043ca8a21b0265400bfe2b
                                                                                                                                                                                                                                          • Instruction ID: 131246e0a00b4b6af31a795c0b8190fff8ac49c33bec2111aa8ba0306ae513c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55d43ad32cff79878f68d670af2edf6e0f28ec2e3c043ca8a21b0265400bfe2b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1111AB5A102189FDB44DF79D8849DEBBB2FF4C710B10816AE919EB324DB319841CB90
                                                                                                                                                                                                                                          Function 07361958 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6de9b372f1cd75262a2e9bdedf6205f10171aaf880fdd08f53aaeb5f38d492b1
                                                                                                                                                                                                                                          • Instruction ID: bd24a8b5b3be0b90abf0754ce66a40f95e9f52794bac8e9e2344865ec9e647d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6de9b372f1cd75262a2e9bdedf6205f10171aaf880fdd08f53aaeb5f38d492b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03113D75600159AFCB04DFA4E458AEABFB6FFCC311F149019D809A7240CBB99C85CF90
                                                                                                                                                                                                                                          Function 07361378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 20e8bb45431cac6d4c249f7807c10d3fc3c03a48772741a05caa3a7832ec0fd9
                                                                                                                                                                                                                                          • Instruction ID: 512718670686b63bf07f5a9c6b51a8778ebcf82b2c17a37b77c4636cec1fdd85
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20e8bb45431cac6d4c249f7807c10d3fc3c03a48772741a05caa3a7832ec0fd9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD21E3B5D002098FDB20DFAAC885ADEFBF4FF48324F10842AD559A7240D7756906CFA2
                                                                                                                                                                                                                                          Function 07361380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bff24dccc43fde8562ecee3cbcc186f266c6aaf14f754b8f79eda7b49f69efc3
                                                                                                                                                                                                                                          • Instruction ID: a07ff704cc8435f184f406529cb1eb12dad8e7fd2eb30410337eafcd3edf4efd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bff24dccc43fde8562ecee3cbcc186f266c6aaf14f754b8f79eda7b49f69efc3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F1106B5D002098FDB20DFAAC885ADEFBF4FF48324F10842AD519A7240C7756905CFA1
                                                                                                                                                                                                                                          Function 07361968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 848d5872418930871cc0064557f23542d596d38cc0bdb4b3de040081777f1d0a
                                                                                                                                                                                                                                          • Instruction ID: f6beab6790a18d3f4aae3e09def23b1bf5e529b4e406fc90c4df617e703c59b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 848d5872418930871cc0064557f23542d596d38cc0bdb4b3de040081777f1d0a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D11FE75600119AFDB04DF94E459AAEBBB6FFCC311F149019E409A7350CBB99C85CFA0
                                                                                                                                                                                                                                          Function 07362B08 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dd250191cda84c0c3cb82ecf149039ea66fbe3a9ac713caf56dde591abb56fa8
                                                                                                                                                                                                                                          • Instruction ID: cb8644365227f2943159b44b4540de45ea344edb0365bdea2a7deebc366bd5d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd250191cda84c0c3cb82ecf149039ea66fbe3a9ac713caf56dde591abb56fa8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A80180B4B001158FEB65AB7890281BF7BE6ABC9241B058969C50DD7344DF3499038B96
                                                                                                                                                                                                                                          Function 07361440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b7a11f9e0e4a899610215dae70a5574dc78c1dcebec2cdac845d86227ae4d9d3
                                                                                                                                                                                                                                          • Instruction ID: 4e953712bbc353857cbd2f6d306dfa0668b1659beb2fd927744271e27d16a95d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7a11f9e0e4a899610215dae70a5574dc78c1dcebec2cdac845d86227ae4d9d3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D01FCB160924E5FDB09DFF8747622A7FB9EFC21107041869C90DCB155FD9488408790
                                                                                                                                                                                                                                          Function 04DCD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1737149131.0000000004DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DCD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4dcd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5d55598f5b0adc8335927dadbf907ec364d7fc2e76bffbf4224717b65d8f5eda
                                                                                                                                                                                                                                          • Instruction ID: 73caa319c515b763dfc62b12837986c1c8904f3c9605ad464a940eb4bf8157f9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d55598f5b0adc8335927dadbf907ec364d7fc2e76bffbf4224717b65d8f5eda
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE01F7716083019AE7204E6DECC0B67BF99EF41324F18C52EED484B242C678A841EAB1
                                                                                                                                                                                                                                          Function 04DCD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1737149131.0000000004DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DCD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4dcd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d4abc36bd8d5779115185caed7d3336d0b91792682a8fd2ba97526a5e60f13c4
                                                                                                                                                                                                                                          • Instruction ID: 17eae23b6ef9726c79015b80da8c25245a18260763e42838b4c3141f2ff8f52e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4abc36bd8d5779115185caed7d3336d0b91792682a8fd2ba97526a5e60f13c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83015E6150E3C05FE7128B259D94B52BFB4EF53224F19C1DBD9888F2A3C2695849CB72
                                                                                                                                                                                                                                          Function 07362A68 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c07f21ca7249dd5d656b3d4531472166871f060c567a5a79f45d6fc9e2d359f2
                                                                                                                                                                                                                                          • Instruction ID: 65826266adb83d33e4891e4393263fd495c18f8610fc1c1d04a435244d15b54f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c07f21ca7249dd5d656b3d4531472166871f060c567a5a79f45d6fc9e2d359f2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E018F75B102158FCB04EF74D4156BE3BF2EB89615B21446AD909DB310EF35A902CBC1
                                                                                                                                                                                                                                          Function 0736182A Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f8d7fc68832259e877d67830b9737c46175e9139f05918bf6529e3305b084df0
                                                                                                                                                                                                                                          • Instruction ID: af75376489b922600ca7571525aec0439869cd990477db349493653ec5f8d82f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8d7fc68832259e877d67830b9737c46175e9139f05918bf6529e3305b084df0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D001D1B5B1011987FB18AA6CC4597EF7ABA9BC8B00F10842AD419B7384CEB54D018BD2
                                                                                                                                                                                                                                          Function 07362997 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: de20b058aa6f0c2c68f7bbcd62d53ef432e112ea426fbf0730a7f33f0ee398d2
                                                                                                                                                                                                                                          • Instruction ID: c0b1736e60c0519dafa5a87e6f3f3da7abdac164f9c5983fda9e38a633731e2d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de20b058aa6f0c2c68f7bbcd62d53ef432e112ea426fbf0730a7f33f0ee398d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9F068727503058BEB0CAB74F99966A3B62FF80614B04C429E5058B2C4DE66E88667D2
                                                                                                                                                                                                                                          Function 07362A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9e08a181a05dd8ea82c1df5ed2eccac64ebbfbb878f220f3e2be2e6aca79c296
                                                                                                                                                                                                                                          • Instruction ID: b357b425cf2ec4325480dd83295bad0f480d1358baf930a20da4aec469c03fe0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e08a181a05dd8ea82c1df5ed2eccac64ebbfbb878f220f3e2be2e6aca79c296
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63016D74B102158FC704EB78D41967E7BF6AB89615B114069E509D7324EF35A902CB81
                                                                                                                                                                                                                                          Function 073629A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b16596d68f606c585f3829193ace2499de3a06076e3c3345bb6383e64282e210
                                                                                                                                                                                                                                          • Instruction ID: d79db035572d0018ab9b1f652ba42e902ddf996dc3c8f6ced2d30754c18910a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b16596d68f606c585f3829193ace2499de3a06076e3c3345bb6383e64282e210
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66F0B4717003058BEB08AB74E958A6A3B66FBC0614B04C428F5068B2C4DF76E881A7D2
                                                                                                                                                                                                                                          Function 07361431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 03ec5c2d1267a433c8b9bc7d84d4836f5564c9b49da2e16d4eba9b47edbe5e62
                                                                                                                                                                                                                                          • Instruction ID: 6d20f3c2eeec3b23b96c544b430cf905acbb0eb57eef2cc9a477ffa8313b3550
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03ec5c2d1267a433c8b9bc7d84d4836f5564c9b49da2e16d4eba9b47edbe5e62
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10F030B5A0514E5EDB09DFB8B56A32E7FAAFFC1510704686D8509CF1A9FEA488408B90
                                                                                                                                                                                                                                          Function 07362A20 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3ab2c46014ed826aeb4d819ebab368e110e6082f7eac6084f3f38acd1020765e
                                                                                                                                                                                                                                          • Instruction ID: 24201fdff9a65da5f3337829bca9ca5972333a793681309a21cf617df1cd16e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ab2c46014ed826aeb4d819ebab368e110e6082f7eac6084f3f38acd1020765e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CE086B27162298FD7151AB2F4082AF3BA9BFD2562B038066E40ED6180DF4DCD838385
                                                                                                                                                                                                                                          Function 07362A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a46d1bf1e1e76846c82aac3851a19134cd73b6e338d3cfc4adb2d715ca5d717e
                                                                                                                                                                                                                                          • Instruction ID: 61b5d0d68eafa86479f33c81f6b6c61cc1d5fe0789e38987b0c868cb5b643578
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a46d1bf1e1e76846c82aac3851a19134cd73b6e338d3cfc4adb2d715ca5d717e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26D05B7171572D8FEA1415B6B41C2BF35ADFBC16A1B429025F41EE2280DF8DCDC14395
                                                                                                                                                                                                                                          Function 07362959 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5c2937fd182f08e4bcaaeccecaf73e6128fde1ea57966861bf92b8c616366e0b
                                                                                                                                                                                                                                          • Instruction ID: 7cbff2e330ff5e54e66a09f2bb3d2f786981113d28d9bd509dcccfb51912070e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c2937fd182f08e4bcaaeccecaf73e6128fde1ea57966861bf92b8c616366e0b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36E08CF2C1A10A9FCB04DFB0E95166EBFA6DF44200B3189EAD408D7225EE365A128781
                                                                                                                                                                                                                                          Function 073617F0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9a887731abd3f14d69cddad0653cdee098b32aef8cfdc60283e1e528623695c
                                                                                                                                                                                                                                          • Instruction ID: 0560ab135b1dcd108277103cd73be404617cfc1f4c3ab60245f8cd3790045c4d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9a887731abd3f14d69cddad0653cdee098b32aef8cfdc60283e1e528623695c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADD097332981089FD308E750F48A5A57FA9DB08231B0080BBE9088B264DD290CA2C3C0
                                                                                                                                                                                                                                          Function 07365EB0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 19151345e6c5dd0c0f13edebac965e0e5f0b5a957ffc66107d1653ad65ad6654
                                                                                                                                                                                                                                          • Instruction ID: 160d9dff8703006b0584e758ed386423922dba166353053e267893212700a5bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19151345e6c5dd0c0f13edebac965e0e5f0b5a957ffc66107d1653ad65ad6654
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AD0A7723582208FD700A76CE45468537B5FF5EB54F1100BAE50ACB376DA9A9C0287C4
                                                                                                                                                                                                                                          Function 07360C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ecb21cf6d8bd8173732be6c7929447f9fb514cf4fb9fe794ee26824eb57f2e82
                                                                                                                                                                                                                                          • Instruction ID: 1fa0e6eb13ffa803cdd369b857d245e77ad2e46a16b598776fcf9a7f4bed01b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ecb21cf6d8bd8173732be6c7929447f9fb514cf4fb9fe794ee26824eb57f2e82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23D0A7B13541215BD604965CD454969339DDB8A714B00586AF50AC7364CD91EC001688
                                                                                                                                                                                                                                          Function 07360C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dd933acb3122a30b5b22f13dded21a30f67a4f706a8cf81b1936e494e8593437
                                                                                                                                                                                                                                          • Instruction ID: 81628a11c4cfebe61017f1b31dffa1384dfc2cabfe88c0bb5f7d8963cb9d2810
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd933acb3122a30b5b22f13dded21a30f67a4f706a8cf81b1936e494e8593437
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FD0A77222011C6BA204AA59D8CA87A7B9DE785761710C833F90583654CD606C1197D6
                                                                                                                                                                                                                                          Function 07362968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9c0a2e45f0a49c926caf0f3c9f40c816ef8d9f78a7565e59e92a1b179d55956
                                                                                                                                                                                                                                          • Instruction ID: 64a6740eb0840bfd0597e207ae2160da81904336c6cf2ac7271da05fda929915
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9c0a2e45f0a49c926caf0f3c9f40c816ef8d9f78a7565e59e92a1b179d55956
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7FD05E7490120DDFCF00DFB4E94696DBBFAEB44200B2086A5E804E3218EE356E409B80
                                                                                                                                                                                                                                          Function 07360440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1736330125.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_7360000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dd2f4e158035275d9e8e2d2080efdaec0fb11540da9c94d2d74b6486a9763ebd
                                                                                                                                                                                                                                          • Instruction ID: 6cf98983a228cac8bf9560dcc9dd0a47df673cd8522f329ab1a9ca8a7a159b81
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd2f4e158035275d9e8e2d2080efdaec0fb11540da9c94d2d74b6486a9763ebd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64C08CB2E5422087E208C708888C2E63320FF7160AB80C026D08880010F2391013A850

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFD9B3F172D Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 379e3061103f11ce33f92a65ff417486748d79b6d6c9906f5140d0096d075afe
                                                                                                                                                                                                                                          • Instruction ID: 4afd1f764ed2a8b2bfc5f0bf6ea5e30cbff0d9d55bb2f663908180fe5d01e815
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 379e3061103f11ce33f92a65ff417486748d79b6d6c9906f5140d0096d075afe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E315C70E1992D8FEBA9EF44C4A07E8B7B1FF58300F5141B9D01E93299CA346A85CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3F1FAC Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e3c6e65066ff058f463f23f72e88f1943d1348117202f4541e38e29a11ffebc1
                                                                                                                                                                                                                                          • Instruction ID: 8d2c3b5db38f1eae3372d3f1a18ad3984627d67ec5f754cff9fbe7822361796b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3c6e65066ff058f463f23f72e88f1943d1348117202f4541e38e29a11ffebc1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6014C31E5551D9BE7A5EF68D8A53F8B6B1EF05701F4140B9E01DA22A2CE382FC49F00
                                                                                                                                                                                                                                          Function 00007FFD9B3F596C Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: M_^
                                                                                                                                                                                                                                          • API String ID: 0-3807191693
                                                                                                                                                                                                                                          • Opcode ID: e45bdefec38acf237eb8ecb2b0b0637fbf63611e793d647b334beb593d63413b
                                                                                                                                                                                                                                          • Instruction ID: 6450f3267a634c4fa97483cb21729dd4abef7cf263a6bb7b150c05fe68b0f9c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e45bdefec38acf237eb8ecb2b0b0637fbf63611e793d647b334beb593d63413b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAC10B22B1F6990FE326B7B868650F97FA0EF46221B0907FFC089CB4E3D91C55468391
                                                                                                                                                                                                                                          Function 00007FFD9B4E0853 Relevance: 1.0, Instructions: 957COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1790143808.00007FFD9B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b4e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 58d371ff9a25c2bc2fceefc4096f744c9fa7f71aeee9f71faae3335738917d04
                                                                                                                                                                                                                                          • Instruction ID: f20578cc52832b44a9e1d5061808616fc8e16593b31e679ae0813adb59402e89
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58d371ff9a25c2bc2fceefc4096f744c9fa7f71aeee9f71faae3335738917d04
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5F14920B0DA4D4FE769976C986A6797BD1EF5A710B0502FED09EC72F7CD18AC428381
                                                                                                                                                                                                                                          Function 00007FFD9B3F0E5B Relevance: .6, Instructions: 562COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2dffc62dfbd388eacad39c3a811637318ddb5ea41c4d7879cbda6ab2f965bdcc
                                                                                                                                                                                                                                          • Instruction ID: d018ea512d575b0c5232649558d8598e038f1dcbbd12af0db711cf3d068143fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2dffc62dfbd388eacad39c3a811637318ddb5ea41c4d7879cbda6ab2f965bdcc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A225B70A1991D8FEB99EF24C4A4BA9B7A2FF58304F5044FDC01ED7295DA35A981CF10
                                                                                                                                                                                                                                          Function 00007FFD9B3FC922 Relevance: .5, Instructions: 457COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 748acfa297cf2088c31b0a79ea42fa9a70d0148097dd1a8f622ba80105807fc7
                                                                                                                                                                                                                                          • Instruction ID: 0c33002d3b5a88e660205948bead060517d49b7d8f653d99e2c1a0c12f933250
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 748acfa297cf2088c31b0a79ea42fa9a70d0148097dd1a8f622ba80105807fc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3F1A330A19A4D8FEBB4EF68C8657E93AD1FF54310F44423ED84DC62A5CE78A9448B81
                                                                                                                                                                                                                                          Function 00007FFD9B3FC9A1 Relevance: .4, Instructions: 433COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d794c80ec186b2e410bae4f45e6ce0dd47d18c30944cf76ac88d8d473a2f986c
                                                                                                                                                                                                                                          • Instruction ID: 8dcabe20bb02060057063ad53ba442860e92cc740d844fcd8ac2c85ebc6cd52d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d794c80ec186b2e410bae4f45e6ce0dd47d18c30944cf76ac88d8d473a2f986c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1E16030B19A4D8FEBB8EF68C8657E976D1FB54301F41423ED80DC72A5CE74A9848B81
                                                                                                                                                                                                                                          Function 00007FFD9B3FB679 Relevance: .4, Instructions: 411COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 96c02a6e623406063a0ff6cb3e289d0832fef940337d43eb876c1e884019c597
                                                                                                                                                                                                                                          • Instruction ID: a7839058712bc4c21687467756b073825559858c114b0c56a7b7ed113dedcf60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96c02a6e623406063a0ff6cb3e289d0832fef940337d43eb876c1e884019c597
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80E1A470B19A8D8FEBB4EF68C865BE97BD1FF45300F04426DD44DC62A5DB38A9448B42
                                                                                                                                                                                                                                          Function 00007FFD9B3FB6F1 Relevance: .4, Instructions: 391COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e42c2951dcc48b045dd6b417fcccb3195acd999a5b05a97f49c461a91fcdb7d6
                                                                                                                                                                                                                                          • Instruction ID: cdb26888219773fe0dbe68218044623fcb336930c8dc58aa532f3906f10b7ab2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e42c2951dcc48b045dd6b417fcccb3195acd999a5b05a97f49c461a91fcdb7d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DD15F70A18A4D8FEBB8EF68C8657E97BD1FF58300F40412ED84DC6295DF34A9448B82
                                                                                                                                                                                                                                          Function 00007FFD9B3F6772 Relevance: .4, Instructions: 369COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 24d548d8ee0d0f17a36509a0e6f91070b43a9620ce4f09a0ceedff19b3ece430
                                                                                                                                                                                                                                          • Instruction ID: 0b83ffa0a8e72c89bfc6d513b8f2c166de2576686e5ce36459b414b09aec9e9a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24d548d8ee0d0f17a36509a0e6f91070b43a9620ce4f09a0ceedff19b3ece430
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40C11A61B0EACE4FF765EB6888659A53FE0EF56310F4981FDD099CB1E3D918A905C340
                                                                                                                                                                                                                                          Function 00007FFD9B4E0000 Relevance: .4, Instructions: 356COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1790143808.00007FFD9B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b4e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b585c2c4296ed54e15a095c6a9e60f883dcfc8fe76c0121252841c84e5cf473f
                                                                                                                                                                                                                                          • Instruction ID: ac50cada6eee9ae7ccb60ff7d3f2acc7ddfe21f8be0e1ec4f3489fabd42eb598
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b585c2c4296ed54e15a095c6a9e60f883dcfc8fe76c0121252841c84e5cf473f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47A12731B0EA884FE765DB6C9875574BBE1EF5A710B0A02FBD099C72A3CD14EC028381
                                                                                                                                                                                                                                          Function 00007FFD9B3FD7BE Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b6edebcf9aa202a48b9fcc1a678643c829b92567416331dde56a9b14ab913cca
                                                                                                                                                                                                                                          • Instruction ID: 78523ff3b56bad81f0363717853e1ef99f72d625b4decb98bc2eca1419c02992
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6edebcf9aa202a48b9fcc1a678643c829b92567416331dde56a9b14ab913cca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DB1D774A1895D8FDF94EF68C894BA8BBF1FF69301F0141AAD00DE7261DA34AD81CB41
                                                                                                                                                                                                                                          Function 00007FFD9B3FC536 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6963fecf33601a1df6a39be86390a642730d6c23304bef8413aaa06ede1c46ae
                                                                                                                                                                                                                                          • Instruction ID: cf61fa4e3664032358f7807858f8558ef42ce3a6a94dc289ad2dc1966de30235
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6963fecf33601a1df6a39be86390a642730d6c23304bef8413aaa06ede1c46ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50B1A530B0DA8D8FEB64EF68C8657E93BD1FF55310F44426DD44DC72A6CA38A9458B82
                                                                                                                                                                                                                                          Function 00007FFD9B3FC5B1 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8d8415bc843d7526089031392b871fed6ac4b434c6e9a7eb0fae3bd45a259e77
                                                                                                                                                                                                                                          • Instruction ID: e704f38378e232757e86e349e73819762189d4c09f32d0fa16d2f816592360bf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d8415bc843d7526089031392b871fed6ac4b434c6e9a7eb0fae3bd45a259e77
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74A15F30B18A4D8FEBA8EF68C8657E93BD1FF58310F54413ED84DC7295CA74A9448B82
                                                                                                                                                                                                                                          Function 00007FFD9B3F7A45 Relevance: .3, Instructions: 267COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1da40567744752c0654acdf6c409d5e35f10df6c066f9e318a71b04655db9012
                                                                                                                                                                                                                                          • Instruction ID: a079d8998a4e17b96c0b4f3dbbf637c970733097aca4dad9c539aab9198f43a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1da40567744752c0654acdf6c409d5e35f10df6c066f9e318a71b04655db9012
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A91D070A0E6CD9FE752EBB48825AE9BFF0EF16210F0905EED085DB1A3DA2C5945C741
                                                                                                                                                                                                                                          Function 00007FFD9B3F1AC8 Relevance: .3, Instructions: 253COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 763afa977ffcc51a36c9fe3c6481d4e295a1974b353c8a606aef7c6d458a5ca7
                                                                                                                                                                                                                                          • Instruction ID: 28c9a6753caa084802c67dc62169710089b118176b96c4d80ff68069b42112ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 763afa977ffcc51a36c9fe3c6481d4e295a1974b353c8a606aef7c6d458a5ca7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB918271E0A66D8FE765DB7888A57E9BBF0EF45310F4441FDD049972A2CA781E86CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3F347E Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c6ceb0569d685991e65966930c549fbe4bf8f8b00dcbe8e33c961f4d8b28d30b
                                                                                                                                                                                                                                          • Instruction ID: c0f161e12345a1cb91c22295793e4e49efdac20953b455a4b2339213eac0f239
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6ceb0569d685991e65966930c549fbe4bf8f8b00dcbe8e33c961f4d8b28d30b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68615070E0A65D8FEBA5EBA8C4547ADBBB1FF55300F5141BDC00ED7291DA396981CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3F946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 20681abf0c3684aa720335ed73e6186555f157a95d6c818224090fcedba76b5d
                                                                                                                                                                                                                                          • Instruction ID: 410ad8a0d1a73b6eb88caafb3de8e30f9c40c5f0e55638e6df3c0212b7580f42
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20681abf0c3684aa720335ed73e6186555f157a95d6c818224090fcedba76b5d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D518631E18A1C8FDB69DB58D855BE9BBF1FF59310F0082AAD04DD3252DE34A9858F81
                                                                                                                                                                                                                                          Function 00007FFD9B3FE641 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 932621203626c74c5541270630f1fd4d7c23e5d082e2d496a8a9c87271e1efd4
                                                                                                                                                                                                                                          • Instruction ID: 358c10d073db3b077f53cc2a1e3b197925a59b9787c557b76121c8fc9d2c58bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 932621203626c74c5541270630f1fd4d7c23e5d082e2d496a8a9c87271e1efd4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B513D34B0955D8FEF98EF98C4A5AEDBBB1FF59300F11046DD00AE72A1DA34A945CB40
                                                                                                                                                                                                                                          Function 00007FFD9B4E04DE Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1790143808.00007FFD9B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b4e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb9af04d3e747a084ee33ed8683d950c037f7e9c735c27b76d8cc69c43828273
                                                                                                                                                                                                                                          • Instruction ID: cb05815a5338796eb398e0ca58542b09a418625c904405e0c17372c48dedc425
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb9af04d3e747a084ee33ed8683d950c037f7e9c735c27b76d8cc69c43828273
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46413922B0EF894FE792D77C48A65647BE1EF6661430A02FBD089C72B7D818AC039341
                                                                                                                                                                                                                                          Function 00007FFD9B3F8578 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6f422fda97ff2e5b65e08ae9aa82b22e8d98b87ad900818c0757cc1901ab60b2
                                                                                                                                                                                                                                          • Instruction ID: fcbe0a8bd2e28974f7414f3e4e383c02689470f49f8bf99e9f861cbfb292513b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f422fda97ff2e5b65e08ae9aa82b22e8d98b87ad900818c0757cc1901ab60b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7514170E1951DCFEBA8EB58D498BEDBBB1EB58305F5041AAD00DE3291DB749A84CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3F63FB Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e14964d5df35bf16c67c618bf18c78a8fb8823e98a431ca47f1eab49f51fca5b
                                                                                                                                                                                                                                          • Instruction ID: 44d79bc1ef8c127518c20ce9b419e6abc04d1e7451e8cc7b65804ebd270f2fe9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e14964d5df35bf16c67c618bf18c78a8fb8823e98a431ca47f1eab49f51fca5b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02412A61B0EACE5FEB51FF6898615E93FA0FF96310B0642BED458C70E3CA246806C740
                                                                                                                                                                                                                                          Function 00007FFD9B3F8379 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 630b668358af2331ee0ca7b43885281caa049ee54f82291c0c78f289b4920f28
                                                                                                                                                                                                                                          • Instruction ID: 9bdb61084fb6444c76ed0371f48cd6da8f5a6e12b4f7d9fcad5b36c0d20722ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 630b668358af2331ee0ca7b43885281caa049ee54f82291c0c78f289b4920f28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3541E970A09A5C9FDB98EBA8C494BADBBB1FF59301F4141A9D04DD7261CB399985CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3F3368 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 87dd252e82c153ef68fd6e55f8af0152be3fdcf10cd46fdc20e07efa974bf05e
                                                                                                                                                                                                                                          • Instruction ID: 8a4593b3cca2cbc434141234bbbca408f23231651e754819a822cf0c0fdfa2ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87dd252e82c153ef68fd6e55f8af0152be3fdcf10cd46fdc20e07efa974bf05e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9331A330A0E7CD5FE7A6EB6888657A97BB1EF46210F0445EEC04DD71A2CE395D85CB01
                                                                                                                                                                                                                                          Function 00007FFD9B3F1980 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb26ff855ff24f9319ff659cc192b9460577d1eedd5ef65814eba150daff42b4
                                                                                                                                                                                                                                          • Instruction ID: 55859dce80653d70f5fc2cd44107f71e9702ec922b989566078d5703b2fe5955
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb26ff855ff24f9319ff659cc192b9460577d1eedd5ef65814eba150daff42b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82314030E4A65E8FE769EFA494647F9BAB0AF06300F5114BDD04A672E1CA785B84DF04
                                                                                                                                                                                                                                          Function 00007FFD9B3F4EFA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d93a6c219eb7c794da3b163b66b2be9c614d6c1a83fe3248c4389bce2f7d2e7
                                                                                                                                                                                                                                          • Instruction ID: 3c554cc5ffe2da16085891406c7abbaac817d2972daebb3c78732f8509e25a09
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d93a6c219eb7c794da3b163b66b2be9c614d6c1a83fe3248c4389bce2f7d2e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F621D122B0EB9D0FEB15EB68A8614EA7FA0FF45320B0503BBE458C71A3CD6499458351
                                                                                                                                                                                                                                          Function 00007FFD9B3F7DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: de16f0252cbb45a6982e1ec06560f42571b257839ec3e315e06d8cead2c178d6
                                                                                                                                                                                                                                          • Instruction ID: 2f870766fb86c532ba1b28cd08f474006e57ef28c6873fc5f7bce0c8befc2263
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de16f0252cbb45a6982e1ec06560f42571b257839ec3e315e06d8cead2c178d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8217C30E19A5C9FEB91EBA8C855AEDBBF1FF59314F00057AD008D71A6DB3498458741
                                                                                                                                                                                                                                          Function 00007FFD9B3FE6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cea1d9f571e9acbb5ea7df4826ac60e13763f45075ced7f623c147d9e8b9c772
                                                                                                                                                                                                                                          • Instruction ID: 2434a8a83361c7aca15a6121b450c382ec516d340bb18407aa59e6893c5b86c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cea1d9f571e9acbb5ea7df4826ac60e13763f45075ced7f623c147d9e8b9c772
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45215E34A0965D8FDB58EF94D820AFEBBB1FF49300F01016EE009D72A2CB346954CB50
                                                                                                                                                                                                                                          Function 00007FFD9B3FD20F Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 25ed8f9e34287f2d00c5a0daf3b2d0c3bd75231d7e22e09bfe5b8ef5861b35ca
                                                                                                                                                                                                                                          • Instruction ID: 86d1f66cbef25650412bb92e53ffe06c850c1cc16de6bba343ca468339a72ba1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25ed8f9e34287f2d00c5a0daf3b2d0c3bd75231d7e22e09bfe5b8ef5861b35ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0621F870E1950DEFEB54EBA4D465AECBBB1FF59301F5100B9D009D72A5CA38A941CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3F1E23 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 50c449da35e8670f29b5fee3cda362102a87af0e973157d443e8dd8b4d1cc7d8
                                                                                                                                                                                                                                          • Instruction ID: 56ccf55f6c4a6e969988dabb3889613fcce8f0481c257e29444c8aedcd88eb93
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50c449da35e8670f29b5fee3cda362102a87af0e973157d443e8dd8b4d1cc7d8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40310A70E0A62D9FEBA5EF6888557E9BBF0AF18300F4541E9D04CD31A2DA785E85CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3FD132 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c265dfdb7263fc85c1ff49fb8603c180a93693792a4db543e3c28079815f3402
                                                                                                                                                                                                                                          • Instruction ID: acb857aebcf177453081ae865cc1a69f6bb73b93c7c6d21bccf18f475b14282f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c265dfdb7263fc85c1ff49fb8603c180a93693792a4db543e3c28079815f3402
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E11B271A1EACD5FEB95EBB4C825AE8BFB1EF56300F4501BAD048D71E2CE286945C701
                                                                                                                                                                                                                                          Function 00007FFD9B3F483D Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b97ba1a71fe0d7facd28af7c375daca4c86851f16f5a67d6768a1e478b45ca75
                                                                                                                                                                                                                                          • Instruction ID: 05675fedbd6bfe543cad2147695f6c792c00c656ff25045119417547190e4533
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b97ba1a71fe0d7facd28af7c375daca4c86851f16f5a67d6768a1e478b45ca75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2311E922B0B6DD4BE720FF6998B15F93F60FF02214F0506BAD45C870E3ED2965568241
                                                                                                                                                                                                                                          Function 00007FFD9B3F79CC Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2c936c922a831fccc7d681ea9808a63cdca388072bf0389d6fd265b22b87d832
                                                                                                                                                                                                                                          • Instruction ID: cfafde679b70ffa5213cc44093840c179c662565a1a6648826d227f72b2b8c94
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c936c922a831fccc7d681ea9808a63cdca388072bf0389d6fd265b22b87d832
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E901B521B5A98D5FE750FBAC58659FEFFD4FF8A211B8006FAD059DB1A2DD1828038701
                                                                                                                                                                                                                                          Function 00007FFD9B3F3B7D Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ec7424e853e772fcfe61066762701a78005bf27690c620434abf12d2baa0961
                                                                                                                                                                                                                                          • Instruction ID: f565787e7fb966d7aad2de39425f5da63d8a2f6727eefbffc84893f670a871ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ec7424e853e772fcfe61066762701a78005bf27690c620434abf12d2baa0961
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3311CE31E0DA8D9FEB50EBA4C8656EEBBB0EF46310F0106BAD009D71D2DE6865558B41
                                                                                                                                                                                                                                          Function 00007FFD9B3F84C0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 491ae1373979c56fd7520ea7a6d5fafdd90b8bc255938305b415de4a36500fb8
                                                                                                                                                                                                                                          • Instruction ID: 286da50be5e00239bd719325b468a2cf69c1693e50e45a33dcb7c5da20be0137
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 491ae1373979c56fd7520ea7a6d5fafdd90b8bc255938305b415de4a36500fb8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0411A234E0991CCFDFA8EB98D494BECBBB0EF19301F5111A9D00DE3251DA39AA80CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3F1EA1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 493c0f7176f7840be86d44d5052c4d5cd15a882e606413e7b1f8765dbb70fd57
                                                                                                                                                                                                                                          • Instruction ID: 973e8815c692764426846315c85d303d41f8d031f06ffe771550969a77af5e7f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 493c0f7176f7840be86d44d5052c4d5cd15a882e606413e7b1f8765dbb70fd57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E112E70E09A2D8FEBB5EB5888557E9BBF1EF54300F0141F9D04C97261DA785EC58B80
                                                                                                                                                                                                                                          Function 00007FFD9B3F0C89 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1dcd45f5def941db386c8dc6bb02baf46973cb2d8c8064e84af199cb471de706
                                                                                                                                                                                                                                          • Instruction ID: 3235eed0f401f83e8f4fba57492fbe3be8e15f5291aef18f144079d78c3f8aab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1dcd45f5def941db386c8dc6bb02baf46973cb2d8c8064e84af199cb471de706
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9901493160FA895FE325EB7884212EA7B90FF45310F0105BFC05AEB5E1DE3869458741
                                                                                                                                                                                                                                          Function 00007FFD9B3F1E7E Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eebbaf1a5e5c29f65cca489e338396f0b06bb7b093b46a1597f55aceb5ace2b7
                                                                                                                                                                                                                                          • Instruction ID: 4a22328d6b1ddf5dbb0a7d285865feb58632d842a182fd5b24dabb48cf434f8d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eebbaf1a5e5c29f65cca489e338396f0b06bb7b093b46a1597f55aceb5ace2b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4011270A0AA5D5FFBB1EB6848656A9BFF0EF49300F4545E9D44CD3162DA386F828B00
                                                                                                                                                                                                                                          Function 00007FFD9B3F1EB6 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d5693eceb49c41b07e46cc9b685ad63a31db8592f4ebccebcaf5cbaed1d3ac4f
                                                                                                                                                                                                                                          • Instruction ID: 5ec53e1432a9011e83126ed87c22f7741226ea712e4ee780006246ef0f6f83ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5693eceb49c41b07e46cc9b685ad63a31db8592f4ebccebcaf5cbaed1d3ac4f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF116670E0962D9FEBA1EF6888557E9BBF0EB19300F4145E5904DE3151DA385BC5CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3F1895 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0077d1d66a2933368f0da6359562b02183d000dd356972b18fb6ece630d2c7af
                                                                                                                                                                                                                                          • Instruction ID: 2e95660d6ed71eca06ae2d287115abe14dd401643f9b5263192427c3b8235c1a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0077d1d66a2933368f0da6359562b02183d000dd356972b18fb6ece630d2c7af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8501A930A0965D8FE769EBA488657A9B7B1BF45300F5104FDD00EA76A2CB796A85CF00
                                                                                                                                                                                                                                          Function 00007FFD9B3F1BA7 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0af6b3e01e270fd3d5ca01a4ee4e8eb3b60e8bd7767347b4e602fc792c44fbbc
                                                                                                                                                                                                                                          • Instruction ID: 80cc3f35709551d21dad0cf2ac1d33006e950923af2dc0ab5851e63be4898839
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0af6b3e01e270fd3d5ca01a4ee4e8eb3b60e8bd7767347b4e602fc792c44fbbc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0901C87490552C8FDBA9EF28C895BE97BF1EF59301F0441E9904DE72A1CA749A85CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3F0C54 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3e121b854eb5aebdc38b8f202164790d66d89090dbd76e29c2c53cc947fad480
                                                                                                                                                                                                                                          • Instruction ID: ec20d19591ae7886b4372b7fa4968fa7e027e677e7624d79f081b65f1c9e223d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e121b854eb5aebdc38b8f202164790d66d89090dbd76e29c2c53cc947fad480
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E01F97060B6495FD319EB6884363EA77A1EF45300F0108BEC15AEF6E6DA396941CB01
                                                                                                                                                                                                                                          Function 00007FFD9B3F1CC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9a0d4fee754d21e87d48617e8b0bd2bbc60610beb9ceb2ee98846f14219fc583
                                                                                                                                                                                                                                          • Instruction ID: f83132c8bb0f8f1ab574ca75e71053654e81e23c3b8bd8375a9bf4d791c1b931
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a0d4fee754d21e87d48617e8b0bd2bbc60610beb9ceb2ee98846f14219fc583
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBF04F30E1E6995FE721EB7884626BCBBF0AF0A700F5405FCD089575A3C92C6A469B41
                                                                                                                                                                                                                                          Function 00007FFD9B3F32C5 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e46ded81880fe4fba466ad33bb1491a52c24af15f1a7b4ea21c49a963bfff144
                                                                                                                                                                                                                                          • Instruction ID: dc6579afbb005379d8ce6325beec3d882a641fd3ce7f1a862423735c067c5655
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e46ded81880fe4fba466ad33bb1491a52c24af15f1a7b4ea21c49a963bfff144
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6F05E70E0854D9EEB50EBA884552EDBBF0EF49305F0081AAC058931A1C63C5684CB80
                                                                                                                                                                                                                                          Function 00007FFD9B3F1C27 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8060f4580d3ea264c33ee75df0a2e01fcb06e27b7a630f58b10a57f06f8be9ea
                                                                                                                                                                                                                                          • Instruction ID: e3f356e364ab3220ec146313464eb7ae55817b940bf4d0656c586e11a0566345
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8060f4580d3ea264c33ee75df0a2e01fcb06e27b7a630f58b10a57f06f8be9ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85F01C7190A66C9EE765DB74C8A43EDBBF1AF46304F5584A8D04C671A1CA785AC9CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3F1C77 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2751508297e9a66a204ee9d30764a613fdfc25f630d1775c43124455a3cb27c1
                                                                                                                                                                                                                                          • Instruction ID: 365a612a56e4e5f197c302e3f6fd16f2644fb3af3a50537b1739b691e69b5e38
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2751508297e9a66a204ee9d30764a613fdfc25f630d1775c43124455a3cb27c1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7F08C30E092688FE761DF7588107ECBBF0AF45300F44C0E8D049671E1C6786A86CF00
                                                                                                                                                                                                                                          Function 00007FFD9B3F192D Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0eb460accec49b4a51a6952167c0aaa52b070ba6b093872ddc68b97e9362da17
                                                                                                                                                                                                                                          • Instruction ID: 6ccf96b85ecbb70be904616445879a58b1fd07045e488a87f0afe0229a7cae47
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0eb460accec49b4a51a6952167c0aaa52b070ba6b093872ddc68b97e9362da17
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BE04F30A0A6994FE79AEF2884557E9BBA1FF49300F5005FDD00DD76A6CE385E82CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3F4A52 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 14a0ca8bba5b5f00c68c90b6e1d8fe6a5a0bb7fff0d032363f4587f42968bf7d
                                                                                                                                                                                                                                          • Instruction ID: 9b4e0c43109e93759f406436c329c7528eec2cd9c8399f702864f843c88f1a85
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14a0ca8bba5b5f00c68c90b6e1d8fe6a5a0bb7fff0d032363f4587f42968bf7d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82E0BF3470660D8FE794EF64D465665B7A2FF45300F92447CD41DC72A2CE369941C700
                                                                                                                                                                                                                                          Function 00007FFD9B3F1DF2 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d743fe3937a122bd01d864e78f4bd867375fe787286235344d087f3f4ec88a41
                                                                                                                                                                                                                                          • Instruction ID: 77edbf8f64983ed2bd2fb5c05dcecf803cae12ef46cc3e1a464cbab7ad67ec34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d743fe3937a122bd01d864e78f4bd867375fe787286235344d087f3f4ec88a41
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85E0C270A0A1995FE701ABB8C8606FEBFF0AF06304F4942A8C480270A3C77C5C42D300
                                                                                                                                                                                                                                          Function 00007FFD9B3F1F6A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5d770a0da400983d5858bb3667988dc4607e0795f38790422e2927bc26520847
                                                                                                                                                                                                                                          • Instruction ID: cb715549aa172a8b557048c52f2868a30d8575cb1b9a68c23807fab68640e4a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d770a0da400983d5858bb3667988dc4607e0795f38790422e2927bc26520847
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AD0127160B9997FE711ABB844654AEBFF0AF0B200B4544E8D0855B163C12DED43C700
                                                                                                                                                                                                                                          Function 00007FFD9B3F1F8D Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0cd5977a7e62862c6c5f4b44da52816e31060d1348552ae7013c846880e91b17
                                                                                                                                                                                                                                          • Instruction ID: 12a872ebfd87bbc0cd43d0248c4671d847879d102ff73aa6d136c170db3e6190
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cd5977a7e62862c6c5f4b44da52816e31060d1348552ae7013c846880e91b17
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6ED0127014B4C92EE3426BB844215AA7FE05F07110F8D48D8E4844B0A3C06C58478301
                                                                                                                                                                                                                                          Function 00007FFD9B3F6E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1789892612.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction ID: 1ecb319211f78f26fb6c244aaa3560049cdc9c02f8c89ec00ba5cc2e9241914d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AA00242BCF46F01E45470DD78624D8B644C785171BD66576ED0C8415A989E1ED64285

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFD9B3E9C50 Relevance: 10.2, Strings: 7, Instructions: 1469COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 13x$2;x$3Cx$4Kx$6}$7}$vN_^
                                                                                                                                                                                                                                          • API String ID: 0-2408404866
                                                                                                                                                                                                                                          • Opcode ID: 4c5963df249d5690e4f16f474b4846ad4921bd332cfc404f97d2c2990954b4c5
                                                                                                                                                                                                                                          • Instruction ID: 573759ed9db3d2fabf6fb02ba78b3a04f858b335abc58ebdf204b0d75ed17281
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c5963df249d5690e4f16f474b4846ad4921bd332cfc404f97d2c2990954b4c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A921627B0E56A4BE725F7BDB4615FD6B50EF80336F4502BBD24DCA0E38D58358682A0
                                                                                                                                                                                                                                          Function 00007FFD9B5F6A9C Relevance: 2.2, Strings: 1, Instructions: 961COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 1;_L
                                                                                                                                                                                                                                          • API String ID: 0-61081225
                                                                                                                                                                                                                                          • Opcode ID: a3e3bcacdfafef553e4c574a2b07e0cefc57c15e22233e4afc8d5e561d9b2f5c
                                                                                                                                                                                                                                          • Instruction ID: 998711de54f48133596b79ed399fda351f1acec01bfcfa685544ec738fe56811
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3e3bcacdfafef553e4c574a2b07e0cefc57c15e22233e4afc8d5e561d9b2f5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F62D471B0AA4D4FEBA9EB68C465B69BBE2EF54304F1500BDD009C72A7DE35AD42C740
                                                                                                                                                                                                                                          Function 00007FFD9B3F900E Relevance: 2.0, Strings: 1, Instructions: 715COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: |R_H
                                                                                                                                                                                                                                          • API String ID: 0-716288735
                                                                                                                                                                                                                                          • Opcode ID: 0a36add1dca8ed3b9fcb2245238fc3e2f12ad5131f5d7f96c6e95c0f8e869ee6
                                                                                                                                                                                                                                          • Instruction ID: fd7868ecef3589ecbe7a305b1ac4b85db93a7a78d1ed8f5b5c9ff6dc5e354047
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a36add1dca8ed3b9fcb2245238fc3e2f12ad5131f5d7f96c6e95c0f8e869ee6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9542EA71B0E7CA4FF376D76484696A53FE0EF96314F0606FDC48D8B1B2DA28A9068741
                                                                                                                                                                                                                                          Function 00007FFD9B3E4E6B Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: [<O_^
                                                                                                                                                                                                                                          • API String ID: 0-1890818320
                                                                                                                                                                                                                                          • Opcode ID: 23188477f07fc737572e11161e5050c586136530a8efd013f660b87d377c3f6d
                                                                                                                                                                                                                                          • Instruction ID: c6e3d7d490a779dc1d769b69dd45580a7680c92ccca6d867d7450c080332e7ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23188477f07fc737572e11161e5050c586136530a8efd013f660b87d377c3f6d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD41BD71E0A64D8FD768EFA4D4653FDBBA1EF49304F15007ED008A72E2DA396A45CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3ECFB8 Relevance: .8, Instructions: 759COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e8e07180af79ad671229101bbbf7898a5f5b09a11b2bfcecc84d6146fb019d98
                                                                                                                                                                                                                                          • Instruction ID: 6b2893af0451b3ea7d1a31ab9efa12f0068144ea5c135b0d465e7f88e1dfa105
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8e07180af79ad671229101bbbf7898a5f5b09a11b2bfcecc84d6146fb019d98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34324E31B1DB894FE765EB6884616B57FE1FF95300F0541BED08AC71A2DE28E802C781
                                                                                                                                                                                                                                          Function 00007FFD9B3F1CE0 Relevance: .6, Instructions: 571COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d712b7cabc9854e4a1da82e2be48901e0e483fd097ad26d782cd9c51e6981214
                                                                                                                                                                                                                                          • Instruction ID: d21dba5ad86e3788c651cabcc27f14966a398dd36224cbcfb2c7fbe6cfa277f1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d712b7cabc9854e4a1da82e2be48901e0e483fd097ad26d782cd9c51e6981214
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A812E57071DB894FE769EB6984A167ABBE1FF95300F04457DE48A83292DA34E842C781
                                                                                                                                                                                                                                          Function 00007FFD9B3F1D49 Relevance: .5, Instructions: 488COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5d4f1ec4ed67312f7d868c5080333d781c46e7beb76c759b2d9aa76cc632328a
                                                                                                                                                                                                                                          • Instruction ID: 3161dbeeaf22453e4c1fc415625dae95e7fcf45024d7f3098333b1bf3b67920c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d4f1ec4ed67312f7d868c5080333d781c46e7beb76c759b2d9aa76cc632328a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6F1D37071DB498FE769EB69C4A066ABBE1FF95300F44457DE48A83292DB34F842C781
                                                                                                                                                                                                                                          Function 00007FFD9B3EC500 Relevance: 7.2, Strings: 5, Instructions: 932COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 13x$2;x$3Cx$4Kx$zN_^
                                                                                                                                                                                                                                          • API String ID: 0-2764529558
                                                                                                                                                                                                                                          • Opcode ID: 7741c49245360a24c82cf9219ef63ab1d8b4bb7588508c617154bc36a24b03b4
                                                                                                                                                                                                                                          • Instruction ID: 42c1369e40d3928e34e8441c4eb65cae1b55dd7e77dea54ab14127deb546ff36
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7741c49245360a24c82cf9219ef63ab1d8b4bb7588508c617154bc36a24b03b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C642F027B1A52B4AE224B7FDB8614FD6B50EF80376F55427BD24DCA0E38D1836C642E4
                                                                                                                                                                                                                                          Function 00007FFD9B3F3B18 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 776a1c5a0fde309d71d726c4008b13ce7ff9952fc4b292fa12d7f6b998b4c179
                                                                                                                                                                                                                                          • Instruction ID: 52a7bada6e8c6bfa2ef40d1d25b140f3ae0534b5f67c590e88b7d887b7f3b5c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 776a1c5a0fde309d71d726c4008b13ce7ff9952fc4b292fa12d7f6b998b4c179
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2D13230B1CB494FE728EB5C94915B5BBE1FF95314B1446BED08AC32A6DA35F8428B81
                                                                                                                                                                                                                                          Function 00007FFD9B3F447A Relevance: 1.7, Strings: 1, Instructions: 413COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: c2cc96b118e6b2f3ab246d4c0055d6c910bd83112252ca72e77793132269ca38
                                                                                                                                                                                                                                          • Instruction ID: b5789930edef5ec859a392efed7f3847308646bc22a0a018d56bab9a8a4dd5c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2cc96b118e6b2f3ab246d4c0055d6c910bd83112252ca72e77793132269ca38
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35C14230B1DB8A4FE769EB598460535BBE1FF95300B1945BED08AC72A6DE35F802C781
                                                                                                                                                                                                                                          Function 00007FFD9B3F03C5 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 342a6d255d6f3f9d91bb22be716a10e783357c8dd09a9492d2fdd77af5b47408
                                                                                                                                                                                                                                          • Instruction ID: f95af74be2d160c17c647b2d997ed078899f689db102df1b5759be3f449e6f1d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 342a6d255d6f3f9d91bb22be716a10e783357c8dd09a9492d2fdd77af5b47408
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EB1DE70B1CB098FE768EF4CD4A1539B7E1FF98700B14457DD49A836A6DA35F8428B81
                                                                                                                                                                                                                                          Function 00007FFD9B3EA0A0 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 'T_L
                                                                                                                                                                                                                                          • API String ID: 0-895320791
                                                                                                                                                                                                                                          • Opcode ID: 1dc63099376f05b1b3ae18b4f530208397f382981dd57de54eda19a9286c81bc
                                                                                                                                                                                                                                          • Instruction ID: c1350ade2ed45635da0919de3bffb1cc5ce0651c8b3b5afb4196da7a9c9d6c39
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1dc63099376f05b1b3ae18b4f530208397f382981dd57de54eda19a9286c81bc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88711871B0990D4FF7A8EB6C942967877C2EF98351B4101BEE40EC32E7DD28AC014381
                                                                                                                                                                                                                                          Function 00007FFD9B3EE9FA Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ZN_^
                                                                                                                                                                                                                                          • API String ID: 0-1308667256
                                                                                                                                                                                                                                          • Opcode ID: d5fc5c3f9780dc4c8041c5b675bf9d6cc3e54b83cf2ee0f207f6957ba2fee3d8
                                                                                                                                                                                                                                          • Instruction ID: 5ecd3cb38ed5d7af1d1172d512243c2590c4765d1aa9e8e1c15edae6d24dafcb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5fc5c3f9780dc4c8041c5b675bf9d6cc3e54b83cf2ee0f207f6957ba2fee3d8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73517D62B0FD4E0FE7A4966C98692B577C1EF99B14B1501FBD0CDC32A3DD149C028381
                                                                                                                                                                                                                                          Function 00007FFD9B3ED098 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ^N_^
                                                                                                                                                                                                                                          • API String ID: 0-3244440111
                                                                                                                                                                                                                                          • Opcode ID: 2953bb2cdf993e432f156424aaf088ccf57302ed32f01e429397de1e317faee8
                                                                                                                                                                                                                                          • Instruction ID: 0d4bea744eb7e35be190ebf6b422f4bd1c8e10a43159bf25803e2df19fe9d3b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2953bb2cdf993e432f156424aaf088ccf57302ed32f01e429397de1e317faee8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD51B422A1D7A54FD342B778A4761D83FB1EF4223170942F7C189CF0E7E9582886C791
                                                                                                                                                                                                                                          Function 00007FFD9B3E813C Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: X
                                                                                                                                                                                                                                          • API String ID: 0-3081909835
                                                                                                                                                                                                                                          • Opcode ID: bbef2425be29f08c65f26c95d5753967de4fb318b5d5e227b3ee3cb7e7ce95ed
                                                                                                                                                                                                                                          • Instruction ID: 0fd7080dbe79c2d2a991db983fba91b8770ea5a11c05e87163620eb0cf9a102f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bbef2425be29f08c65f26c95d5753967de4fb318b5d5e227b3ee3cb7e7ce95ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9612975E0A61D8FDB64EBA8D8657EDB7B0EF55315F5001BED009A32E2DB381A45CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3E9EF1 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: :
                                                                                                                                                                                                                                          • API String ID: 0-336475711
                                                                                                                                                                                                                                          • Opcode ID: cdf1eb361a57fb8a2b15e24d19a3dc0d1a16879d9bb952782c014c69329203e0
                                                                                                                                                                                                                                          • Instruction ID: bc984823f9a2feb52b6fa4c5bcefb19659ab58c7e659d86c6c002f5e0f37a07c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cdf1eb361a57fb8a2b15e24d19a3dc0d1a16879d9bb952782c014c69329203e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25413A12B0E59A0FDB55B7BCA8645E83FE1DF86265B0901FBE58CCF0A7DC1C98858391
                                                                                                                                                                                                                                          Function 00007FFD9B5F5588 Relevance: 1.0, Instructions: 968COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fe0ae6907ba9af399d39851fd2a63918a5c1458057cc455316bdca9d563093ee
                                                                                                                                                                                                                                          • Instruction ID: e3fed9b7a181428aea1b14c7d173561623f5c77855c87633da94ff7c5279f25c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe0ae6907ba9af399d39851fd2a63918a5c1458057cc455316bdca9d563093ee
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C6216B1B1DB8A8FE7A9DB689465B69BBE1FF54340F1500BDD04AC32A7DA34E801C741
                                                                                                                                                                                                                                          Function 00007FFD9B3ECFC5 Relevance: .7, Instructions: 690COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 17e11a403e98a5cfc288f803e7f4cdf63981db9f7e142ac807a1dfa3929609d0
                                                                                                                                                                                                                                          • Instruction ID: e8d04a1d7a4bc52af0f7ce8de1286236e4129cf05f02bcb3878aa9b715227b39
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17e11a403e98a5cfc288f803e7f4cdf63981db9f7e142ac807a1dfa3929609d0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB221630B2D74D4FE769EB6C84A56397BE1EF95704F15417DE4CAC32A2DA38E8028742
                                                                                                                                                                                                                                          Function 00007FFD9B5FC440 Relevance: .6, Instructions: 573COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7dd6ba46eca65523dafc0ad490c8c56f3eb9eba4205da354ca89a789f505c5e4
                                                                                                                                                                                                                                          • Instruction ID: 01eff43f181cf01586534452e0bc7889f238f174c1fb8a9f805bf7a826f51a38
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7dd6ba46eca65523dafc0ad490c8c56f3eb9eba4205da354ca89a789f505c5e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4F15A61B1EB8E0FE7AA976854656B9BFD1EF55300B0501FED099C71E7EE28AC028341
                                                                                                                                                                                                                                          Function 00007FFD9B3EDE20 Relevance: .5, Instructions: 532COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e477efef2403cc158252d553aa61b1107a286ffc1ce733e8b66ce8d9dbb0fd77
                                                                                                                                                                                                                                          • Instruction ID: 89925e083f1d3aab99c70165b128389dde54cd8f116bf5b52ef3f12025f72257
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e477efef2403cc158252d553aa61b1107a286ffc1ce733e8b66ce8d9dbb0fd77
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89E16B71B1DA490FE798EB6C886567977E1EF99310B0501BFE08DC72E7EE24AC428741
                                                                                                                                                                                                                                          Function 00007FFD9B3F5399 Relevance: .5, Instructions: 488COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c592fc7a1c00d213296a820df7b5bf70746d1f26053450655abcec2ac35e0c1f
                                                                                                                                                                                                                                          • Instruction ID: ffd42434595f8777a78d189e1dddd5b0ea6e4fb240b17b5a0e6f9c4b44748216
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c592fc7a1c00d213296a820df7b5bf70746d1f26053450655abcec2ac35e0c1f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9D18B53B0FA8E0FF765F6AC68755F57F90EF52261B0602BBD089C74A3EC0969468390
                                                                                                                                                                                                                                          Function 00007FFD9B3F71ED Relevance: .5, Instructions: 481COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: af5003f96c39b86243f3a39c28b31070152e1c9649cf88a3a315ca4fb7c69dec
                                                                                                                                                                                                                                          • Instruction ID: 2515573d17202831c9580267a313d3be56c272acb000dae011382c24795e3421
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af5003f96c39b86243f3a39c28b31070152e1c9649cf88a3a315ca4fb7c69dec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AF10971B1DB4D8FE764EB2884656A9BBD2FF94300F15057EE48DC72A6DE34A8028742
                                                                                                                                                                                                                                          Function 00007FFD9B6013B5 Relevance: .4, Instructions: 450COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b9c00180143632a1952dac6dc9a119e986ff3e73f32d46f6d768064ff63526f4
                                                                                                                                                                                                                                          • Instruction ID: 7ff70c38b8f51e64cf3ca93d77fdc779d07d917ca269efc99eadb3f0fc1b1b13
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9c00180143632a1952dac6dc9a119e986ff3e73f32d46f6d768064ff63526f4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8E18E30A19A4D8FDFD4EF59C4A4AA937E2FFA9304F150169E45DD72A5CA30E842C780
                                                                                                                                                                                                                                          Function 00007FFD9B3ED9E9 Relevance: .4, Instructions: 441COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4b1eb21dc4f3044e18c2ffeb033adb135641ed2090eed0fe9bdf3af479b639d6
                                                                                                                                                                                                                                          • Instruction ID: 9228753b09823d8c0aa6ccf7daf5b7f7acfec2ad8dbbed21183bfb7c96939ffd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b1eb21dc4f3044e18c2ffeb033adb135641ed2090eed0fe9bdf3af479b639d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93D1643160DB4D4FDB68EB58D851AA1B7E1EFA5350F05027FD08DC72A2DE22A846C782
                                                                                                                                                                                                                                          Function 00007FFD9B5FFDFE Relevance: .4, Instructions: 428COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 09b4d6e730ad051a289aca68ac959e1d4e679958dcefb983f85791b395507f35
                                                                                                                                                                                                                                          • Instruction ID: 6d3a51caf91878a7f8dd93bbf7ed612aef87b08a236fa896ca7fa64bbc311997
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09b4d6e730ad051a289aca68ac959e1d4e679958dcefb983f85791b395507f35
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFE1E571B2AA4E4FDBA9EF68C461AA9B7E1FF64304F1041B9C05AC71D7DE24B9428740
                                                                                                                                                                                                                                          Function 00007FFD9B5F3D88 Relevance: .4, Instructions: 422COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ba8115fcb747bfa941a7bb8f23c224ce28f74e37fb5380a2dea5ffdd2293ef69
                                                                                                                                                                                                                                          • Instruction ID: 83d6fa1ad457839cc238934144d3df6d2dbe8670ad6efa6148f3797e92880de0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba8115fcb747bfa941a7bb8f23c224ce28f74e37fb5380a2dea5ffdd2293ef69
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8D15862B0FA8A0FE7F6C76C44667657FD2EF99350B4900BAC08DC75A3DD18AD068381
                                                                                                                                                                                                                                          Function 00007FFD9B3EAAE8 Relevance: .4, Instructions: 417COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 75ed477c136f662f272ce8b8ffb6965dbfe85fea6d3bf37f79a61daf40a6941f
                                                                                                                                                                                                                                          • Instruction ID: a29b12be2f1ca05a66697877e2a825fd978093a629a55edde226680a11641eeb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75ed477c136f662f272ce8b8ffb6965dbfe85fea6d3bf37f79a61daf40a6941f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20C1D421B1EA4E4FEBAAEB6C44A867477D1EF55210B0601BFD44DC72A3EE28AD058741
                                                                                                                                                                                                                                          Function 00007FFD9B3E9F9D Relevance: .4, Instructions: 411COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 48ec3d6a532229e08c0b4b0716417480bfc35a794dab72bc7c08325efd0e7eb7
                                                                                                                                                                                                                                          • Instruction ID: 8f46786c0872dd046df1b06a38708e3df76c1feec41551c4034397ef6267dfb5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48ec3d6a532229e08c0b4b0716417480bfc35a794dab72bc7c08325efd0e7eb7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42C14862B1EA8A0FE7A596BC98663B47FC1DF9D254B0901FAD488C71E7EC196C028341
                                                                                                                                                                                                                                          Function 00007FFD9B5F079D Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 49616d623083bb8b145cc8b4650ae7fbda9c33ccfce9a4999bd47757fba1d473
                                                                                                                                                                                                                                          • Instruction ID: 5bdda4702aaf0e9000cfd338eaea040ac7f765b74ee98657df764cca6980d97e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49616d623083bb8b145cc8b4650ae7fbda9c33ccfce9a4999bd47757fba1d473
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65B1F821B1EA8D4FE7E69B6C5475379BBD1EF99B10B0D00BAD049C32E7DD14AD428381
                                                                                                                                                                                                                                          Function 00007FFD9B3EA7FA Relevance: .4, Instructions: 385COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6ff674a5b6e50fca792b271890ffebed2b1867b45cde9d7475dfc44c195b6c0e
                                                                                                                                                                                                                                          • Instruction ID: 5237a0140a42a8cd6e83b8ca127eda86a5bbb03436833628ea815f844ec10e41
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ff674a5b6e50fca792b271890ffebed2b1867b45cde9d7475dfc44c195b6c0e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4EB11F52B1FADD0BE776B6FC68311B86F61EF416B070902FFD099860E79C49794A8341
                                                                                                                                                                                                                                          Function 00007FFD9B3EB8D8 Relevance: .4, Instructions: 351COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f52a9cff186153352f71ba03b1fcbcb890861f60554c5eaa305fde374844a51d
                                                                                                                                                                                                                                          • Instruction ID: 8fd37d7ff1a9b7ae800a98ff48b0f1a6b533f10eb8c9a422b8983ea2cca08944
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f52a9cff186153352f71ba03b1fcbcb890861f60554c5eaa305fde374844a51d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46A14831B0EA490FDBA5EBA8D461AB577E1FF59314B0542BEC48DC71E7CA18AC46C381
                                                                                                                                                                                                                                          Function 00007FFD9B3E86DA Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a4aad1d4d69c07eb0b8ac09dcadfbddf1dc2fefcb67c973279eb0a44b8268dbd
                                                                                                                                                                                                                                          • Instruction ID: f7717e0377a1a4551bb9dc2cc7991428d1c0e66a9f826337386f39f60d393fd3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4aad1d4d69c07eb0b8ac09dcadfbddf1dc2fefcb67c973279eb0a44b8268dbd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EC1F831E0A65D4FE764EBA8D8657E8BBF1EF46310F0502BED04DD71A2DA382946CB41
                                                                                                                                                                                                                                          Function 00007FFD9B3ECCC0 Relevance: .3, Instructions: 331COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 446850abc67be16a4029136a03d1b77c5499f677f9297fb967af0b043cc9b10d
                                                                                                                                                                                                                                          • Instruction ID: 472835d2de3795cc842d62c5e5e74deebdc6ed545851110d1ed84deef2b922c4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 446850abc67be16a4029136a03d1b77c5499f677f9297fb967af0b043cc9b10d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DBB19471F19A4D4BEBA4EB989865BECB7E1FFA4310F4442BAD01DD32D6DE2438418741
                                                                                                                                                                                                                                          Function 00007FFD9B3F3BF8 Relevance: .3, Instructions: 326COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4188beff7f01dcb5e45573b7617139d39b548da219031df81d489ebca6ea4797
                                                                                                                                                                                                                                          • Instruction ID: 468f9ac4b072ec9c61f52c5c3990bc99f3eb21ede220535c14ec3450c85d0367
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4188beff7f01dcb5e45573b7617139d39b548da219031df81d489ebca6ea4797
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2EA1233071DA0A8FEB68EB6CC4A4A7177E1EF55310B1605BDD08EC76A6DA35F842C780
                                                                                                                                                                                                                                          Function 00007FFD9B3EDE79 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dd99f784e27c8a47deec2c632e3d85406aabb297d735a8474e49b4a73b32d77f
                                                                                                                                                                                                                                          • Instruction ID: 25edea3f0ac2affb043169c685a281e07a501838b9d48fb25b8bd3093fefbb0a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd99f784e27c8a47deec2c632e3d85406aabb297d735a8474e49b4a73b32d77f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5912771B1DA890FE798EB2C986567577E1EFA5310B0501BFE089C72A3EE25FC428341
                                                                                                                                                                                                                                          Function 00007FFD9B3F5B70 Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5c032cca7ba2b70463d7386c19568161a92dc3214ca59d3afaf3fda7cca60156
                                                                                                                                                                                                                                          • Instruction ID: 0e35a8a54ecf0bba809506deef512881f4973c3187a42fb5e603046431ca9025
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c032cca7ba2b70463d7386c19568161a92dc3214ca59d3afaf3fda7cca60156
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C171E352B0FD1E4FF6B5E59C14792742BC1EFA8691B2301BBE48EC76A5EE189D060380
                                                                                                                                                                                                                                          Function 00007FFD9B3F4894 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6bae2211faad899320c51a1e485101b4b20eb4b03d853b0230a2e88e893658d7
                                                                                                                                                                                                                                          • Instruction ID: 390f12646ae9b6046f0d0874a0a29091f40494418fb7e5ebfb8ca8c32f1e1621
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6bae2211faad899320c51a1e485101b4b20eb4b03d853b0230a2e88e893658d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44913631B2DB4A4FE768EF6D94955B677E0FF94310B10067ED09AC31A6EE24F9428780
                                                                                                                                                                                                                                          Function 00007FFD9B3EE960 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d16bbec7f9baf9fef3f535c1c4a1a1593ffc40d1bab8f9ae21d165db1f4476e5
                                                                                                                                                                                                                                          • Instruction ID: c34ef0af155fac78a1b154e4a9fa1b37764e5ecd137a1fe69d0ae435274766d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d16bbec7f9baf9fef3f535c1c4a1a1593ffc40d1bab8f9ae21d165db1f4476e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A981F932B1D91D0FF7A4FB5C94697B937C2EF98360B0601BAE44DC72A6DD199D424381
                                                                                                                                                                                                                                          Function 00007FFD9B3F3C20 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4cf4a30df6ade7d82259dc220764d9943f67dcef6237c943b820f1008d06d31d
                                                                                                                                                                                                                                          • Instruction ID: 72e0e37bd409b02765b2319f8f2116e78716a251580dafc566ada8e37301b7be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4cf4a30df6ade7d82259dc220764d9943f67dcef6237c943b820f1008d06d31d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE91693071DB894FE729EF6994955B67BE0EF95310F10067ED48AC32A2EE34F8428781
                                                                                                                                                                                                                                          Function 00007FFD9B3ED469 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8d5586012db02f3e39f109b152edfe359be2ec9ad2123c4cf51fdf633a19520a
                                                                                                                                                                                                                                          • Instruction ID: 248fdccedf3b95357fa7ffc866478b8f7651cea5f89dffbcc0bee554e3cc761b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d5586012db02f3e39f109b152edfe359be2ec9ad2123c4cf51fdf633a19520a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96A19471F19A4D4FEB98EB989865BECB7A1FFA8310F5442BAD01CD32D6DE2438418741
                                                                                                                                                                                                                                          Function 00007FFD9B41E260 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc78c095ac9c452b000424a4048d635692f1e4ece1e84e4a7cc28eecc4c4dd3c
                                                                                                                                                                                                                                          • Instruction ID: 1e2e814aa6d70d48c116ced4e9fa09400619d76a118007705e781a8af6877b7b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc78c095ac9c452b000424a4048d635692f1e4ece1e84e4a7cc28eecc4c4dd3c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20812731B0DB0D8FDB69DB58D851AB577E1FFA9324B15027ED04EC32A2DA25F8428741
                                                                                                                                                                                                                                          Function 00007FFD9B3E73E1 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4e84511c0211fca13b3db647da22d7e9ddcbcba949446e926318c945689aa5fb
                                                                                                                                                                                                                                          • Instruction ID: e1d714084a9687a52f2fcd2e510125b5c543ba327a328f3718ee5d49122ddb19
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e84511c0211fca13b3db647da22d7e9ddcbcba949446e926318c945689aa5fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15B1F870E09A1D8FDB94EBA8C854BADB7B1FF59304F1541AAD00DE72A1DB34A985CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3E7DB9 Relevance: .3, Instructions: 285COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2d2b686d42bb375ee0415898f58280927452da6b33097f717eb38e33b2c5d12f
                                                                                                                                                                                                                                          • Instruction ID: 84a639cef5c808e4a09b593e63f66d3854851f7b15b96064aabd78b4c5fed16d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d2b686d42bb375ee0415898f58280927452da6b33097f717eb38e33b2c5d12f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9191D571E1AA4E8FEBA4EFA8C8656ADB7A1FF54300F01057EE059D72D6DE386D018740
                                                                                                                                                                                                                                          Function 00007FFD9B3E3FFD Relevance: .3, Instructions: 282COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 05b5116dea55481dc776470ab77a508df62622073b4c41e58aa48727f0c50c10
                                                                                                                                                                                                                                          • Instruction ID: 3e8df0150c10fea6e8caff1f0aab2e6773feb44e72a2a801e7bfd5e5f0ef7209
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05b5116dea55481dc776470ab77a508df62622073b4c41e58aa48727f0c50c10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72912671E0A64D8FEB64EBA498257ECBBE0EF59310F41027ED05D972E2DA386945CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3EA015 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e8ede25211048e49a6930c10fe8e4cd07368aaa1c6d3bb131d737cd74af2f435
                                                                                                                                                                                                                                          • Instruction ID: b737d402bad8af6e6aa148a30ec575e752056d7217dcaff8af03b44b53f84e75
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8ede25211048e49a6930c10fe8e4cd07368aaa1c6d3bb131d737cd74af2f435
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4911572B1DE8E8FF764EA5884297A5B7E1FFA4350F05057ED049C31A2DE28A9428741
                                                                                                                                                                                                                                          Function 00007FFD9B3E70FB Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f1cb0f4951f298101274a513b5a67b3eece949eeed4f64d4f47fec3bc71e8a7f
                                                                                                                                                                                                                                          • Instruction ID: 162ae9282b16a252f0a609f568a7344eba21acb51ada06e7c0f680b859f36432
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1cb0f4951f298101274a513b5a67b3eece949eeed4f64d4f47fec3bc71e8a7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37714C22F0AA698BE764F7ACA4696E97FD1FF55360B0901BBD04DC71E3CD14684683C1
                                                                                                                                                                                                                                          Function 00007FFD9B3E4610 Relevance: .3, Instructions: 265COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c1c3df43ea394b45faa4195c0095a0ed65dc98924292b197ce543f1b653614c1
                                                                                                                                                                                                                                          • Instruction ID: bf96e6e72840febfa797aacdd6c6bb2a1442c4dce77f04590ab752d65abcc651
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1c3df43ea394b45faa4195c0095a0ed65dc98924292b197ce543f1b653614c1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2891C371A19A8D8FDB94EF68C854AEDBBF1FF59304F0401BAD019D72A6DA34A846C740
                                                                                                                                                                                                                                          Function 00007FFD9B3ED76E Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2d5524907df13723e5acc79144b954ec36761f208d49b3922c7349fbe6c43e84
                                                                                                                                                                                                                                          • Instruction ID: 7b490ea8c82fc4c758fe136318cd14567e9515850d34b6b9ce607ebc7a9e5500
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d5524907df13723e5acc79144b954ec36761f208d49b3922c7349fbe6c43e84
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4512872A0EA4D4FE765EAAC98663A97BD0EF95364F0501BFD049C71E3D9292D028381
                                                                                                                                                                                                                                          Function 00007FFD9B3E4667 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc6464d51a66a3783872686a082388be55515a3794299684ba63f591a1aa6bb7
                                                                                                                                                                                                                                          • Instruction ID: ffdc88af591002b9fe54b1c848b928cf6fd2bfb85bfd32bbc90b911a9b2b10c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc6464d51a66a3783872686a082388be55515a3794299684ba63f591a1aa6bb7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67818570A19A8D8FDB84EF68C855BEDBBF1FF59304F1401BAD419D7296DA34A842C740
                                                                                                                                                                                                                                          Function 00007FFD9B3EA820 Relevance: .2, Instructions: 227COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 091b939c2e9a82ff2e80dadf9b5d14d5fdd1a6e1ae5dee55b2a415a4f2fd8afc
                                                                                                                                                                                                                                          • Instruction ID: 6505529a6e7823247efc8ab64ee8d30ae2ea6c1c2c34c6b46ba98ae59b57f124
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 091b939c2e9a82ff2e80dadf9b5d14d5fdd1a6e1ae5dee55b2a415a4f2fd8afc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD61BA42F2F99E0BF775B2E864315F86F61AF5176070943BFD09E860E79C4939468281
                                                                                                                                                                                                                                          Function 00007FFD9B3EA828 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4918c0e8e8cabee7eaf191228094aed29a21d7b93145960eaf03cc0b5b86f2ef
                                                                                                                                                                                                                                          • Instruction ID: 05e65d6e75d21c554a889060653d5b43be4399a466e9438b13088660f4696a24
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4918c0e8e8cabee7eaf191228094aed29a21d7b93145960eaf03cc0b5b86f2ef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF51B942F2F99E0BF775B2F864315F86F61AF5076070A43BFE09E860E79C4939468281
                                                                                                                                                                                                                                          Function 00007FFD9B3E8A55 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 503d9e38b84e680a536956281dfb6b8ae330260f33a9b0141dc5fb8f8acfc9e8
                                                                                                                                                                                                                                          • Instruction ID: 8316a17060d3e662af9c243e18ed42457f1a6da842794592aa694232e351c3a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 503d9e38b84e680a536956281dfb6b8ae330260f33a9b0141dc5fb8f8acfc9e8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54710571E0A64D8FDB65EBA4A8656FDBBB0EF06314F0502BFD009E72E2CA395541C750
                                                                                                                                                                                                                                          Function 00007FFD9B5F07CC Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d077253730bb6a1e3ff6372bab6fe1d8606dcc1ad0274b12bc1bbfefdbfc6181
                                                                                                                                                                                                                                          • Instruction ID: d47a36d1c85cf114db4d48c9c99836a27a1a4ffd66d7e796468cd488410563c4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d077253730bb6a1e3ff6372bab6fe1d8606dcc1ad0274b12bc1bbfefdbfc6181
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E51F431B1DE5D4FE7E99E5D54A4679B7D1EF98B00B0A00BAE049C36E7DD24AC428381
                                                                                                                                                                                                                                          Function 00007FFD9B3E8D32 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 14352a4b60df2bf09b2b12615fed04e260775f176044d1aa99a3be2020a29929
                                                                                                                                                                                                                                          • Instruction ID: 01a28e566a15d580dcf78815ea4de46a57191d0b2d43aa9f035a0fea95007889
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14352a4b60df2bf09b2b12615fed04e260775f176044d1aa99a3be2020a29929
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF71F370D0EA8D8FDB55EBA4D825BE9BBF1FF56310F1001AED049D72A2CA395942CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3EE648 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 99b39e7956cfe154f238a7879949a4e5130994e216a8d631c60452c3e33cadcd
                                                                                                                                                                                                                                          • Instruction ID: 4e24ef5a21b94f334df922eda37a5244fb2bd5e9d1c9b24d2ed470deecca6367
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99b39e7956cfe154f238a7879949a4e5130994e216a8d631c60452c3e33cadcd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6514230309A0E5FE768EF5CD894A757BE0FB98310B15067ED48DC7262DE29F8828780
                                                                                                                                                                                                                                          Function 00007FFD9B3E4C41 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f8ba3fcd5674ea74bf040f6399c2030620301ea6d648627416a3c7e9550dd20a
                                                                                                                                                                                                                                          • Instruction ID: f63815686c9aeaf0fd8e796ad0adf0eafa5f23fb825df1ae1738395ea050bcd6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8ba3fcd5674ea74bf040f6399c2030620301ea6d648627416a3c7e9550dd20a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 426116B1E0AA4C4FEB91EB68D8187997BE1EF59314F0501EED04DD72A2DA385945C740
                                                                                                                                                                                                                                          Function 00007FFD9B5FBE2E Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a79854a3fe0d4db7450f2d1697a7ef3efe6a5b0a43775ec602ea881b1398e3f0
                                                                                                                                                                                                                                          • Instruction ID: fce8fb367ae10eec150b1ed5edfa60b5fa1dfd7c6b55875eecaeb743376be1b4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a79854a3fe0d4db7450f2d1697a7ef3efe6a5b0a43775ec602ea881b1398e3f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6351D83171CF498FDBA5DF18C4A4A61BBE2FFA8300B054679D049C7666DA34F941CB81
                                                                                                                                                                                                                                          Function 00007FFD9B60542F Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e371a135debc2b3d62f821232c1f0002a580ccf4440efdd8101d053336ceeb3a
                                                                                                                                                                                                                                          • Instruction ID: 04abde61f954e5dcbfbac77dae308ebeffde6c3c77a08f075779060a11d63490
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e371a135debc2b3d62f821232c1f0002a580ccf4440efdd8101d053336ceeb3a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB516DB3B0EB4D0FEB66AA6D68B51F53BD1DF52220F0501BBD4D9CB1A3ED15B8428240
                                                                                                                                                                                                                                          Function 00007FFD9B3E644B Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0b1d13bf99bcb1719a266f5b4da1e863f3c3093bcf4c992de697a809e3cf0cc6
                                                                                                                                                                                                                                          • Instruction ID: 3285c0ea070e19629f02726941c9cf12030e59796fa311e8b8c64c32e6fd7519
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b1d13bf99bcb1719a266f5b4da1e863f3c3093bcf4c992de697a809e3cf0cc6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B611B70E0961D8FDBA8EF68C4A57BCB7B1EF55304F5190AED00EE7292DA356981CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3E382E Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 01d940348d6a0b93fa8da8ef2ebeced3b7af7ed4715c5ef1a3e8a35c843f2392
                                                                                                                                                                                                                                          • Instruction ID: b7e117b58e542f1e886a813cfc0658e8854b1153b9f602d9aff265effc3917b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01d940348d6a0b93fa8da8ef2ebeced3b7af7ed4715c5ef1a3e8a35c843f2392
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40510175E0E68C8FDB52EBB8D8157E9BBF0EF55315F0400AED048D71A2DA38A945C780
                                                                                                                                                                                                                                          Function 00007FFD9B3E5B6A Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8f7c9f2c056a6608920908f2b99a818d3f4f0bc328ff943defc083ada37a5f1f
                                                                                                                                                                                                                                          • Instruction ID: 660e36c690f1c96094a5cec5b812716b36d5d56063903dcd29720a917ddb7f77
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f7c9f2c056a6608920908f2b99a818d3f4f0bc328ff943defc083ada37a5f1f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD51EE7184F6898FD792DBB48864BD97FF0EF46310F1901EED088DB1A2CA794986CB50
                                                                                                                                                                                                                                          Function 00007FFD9B3E05A0 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e494da92d2966f8155fdc9fd01c8bd5c22daaf61048eef6b0cee39455a4d623a
                                                                                                                                                                                                                                          • Instruction ID: 0312763db0242569c8220ab7ed919177b8e1745a80467852d8eca36ab8bc5f08
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e494da92d2966f8155fdc9fd01c8bd5c22daaf61048eef6b0cee39455a4d623a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA518F71E1A61D8FDB65EBA8D4656FDBBB1EF48300F50007ED009A3291CE396944CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3F3C30 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3743b04974155369d18b1413222a87b082ce7a70f4812f0951927b84767806e6
                                                                                                                                                                                                                                          • Instruction ID: c89df1c42bda9251218debe746f427d4c695e3cc314e2c67d5a41a66a406610b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3743b04974155369d18b1413222a87b082ce7a70f4812f0951927b84767806e6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4041223071AE0E4FE768EB59C894A617BE0FF98300B16067DD04DC7666DA39F882C780
                                                                                                                                                                                                                                          Function 00007FFD9B3EBF69 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 98d0d9191ba54d510ee94f61968f868035534f42285a16bd7c19d742b719e8b8
                                                                                                                                                                                                                                          • Instruction ID: 10761a8a74d9fdb71949e7735c6516814acdc15a1cc759f4a3ff37ca3031dc31
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98d0d9191ba54d510ee94f61968f868035534f42285a16bd7c19d742b719e8b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA419121A1FBC90FD7679B7848755647FB1EF5724074E41EBC089CB1E7EA1CA80A8312
                                                                                                                                                                                                                                          Function 00007FFD9B3E8AA5 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 01ad27dbe67d75d97df6365d1f051b2a3574c12a850fd844d0f6ab130229cc49
                                                                                                                                                                                                                                          • Instruction ID: 63df03020e8951ed46ff910ae151978d8c656eaa84380782c594e48c58dcf45d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01ad27dbe67d75d97df6365d1f051b2a3574c12a850fd844d0f6ab130229cc49
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25512571E0E68D8FDB55EBA898656E9BBF0EF06314F0402BFD049D71E2CA391542C750
                                                                                                                                                                                                                                          Function 00007FFD9B5F6DA2 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9723ef354e7b3a3dd76603bc6168bcd28756ddbf6249fc72b2ca0ca6e68fa191
                                                                                                                                                                                                                                          • Instruction ID: 0544c001ead8f550231887c5d73fe30a53279f41fa187639da721bec909368ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9723ef354e7b3a3dd76603bc6168bcd28756ddbf6249fc72b2ca0ca6e68fa191
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A51B970B0F6495FE3A6DB64C865F79BBA5FF94308F2504BCD00A8B1A7DA35A902C740
                                                                                                                                                                                                                                          Function 00007FFD9B5F6DAE Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9723ef354e7b3a3dd76603bc6168bcd28756ddbf6249fc72b2ca0ca6e68fa191
                                                                                                                                                                                                                                          • Instruction ID: 0544c001ead8f550231887c5d73fe30a53279f41fa187639da721bec909368ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9723ef354e7b3a3dd76603bc6168bcd28756ddbf6249fc72b2ca0ca6e68fa191
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A51B970B0F6495FE3A6DB64C865F79BBA5FF94308F2504BCD00A8B1A7DA35A902C740
                                                                                                                                                                                                                                          Function 00007FFD9B5F6D96 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9723ef354e7b3a3dd76603bc6168bcd28756ddbf6249fc72b2ca0ca6e68fa191
                                                                                                                                                                                                                                          • Instruction ID: 0544c001ead8f550231887c5d73fe30a53279f41fa187639da721bec909368ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9723ef354e7b3a3dd76603bc6168bcd28756ddbf6249fc72b2ca0ca6e68fa191
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A51B970B0F6495FE3A6DB64C865F79BBA5FF94308F2504BCD00A8B1A7DA35A902C740
                                                                                                                                                                                                                                          Function 00007FFD9B3E5DB0 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 92f8bed0de3376942413520bf88750ca33bc116d42c93a2aa47b3055b0c5c636
                                                                                                                                                                                                                                          • Instruction ID: 1c642f8177e41c41bd218983200e8c7c08f144e4f231c751ee75231d781af87a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92f8bed0de3376942413520bf88750ca33bc116d42c93a2aa47b3055b0c5c636
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22519D70E0964C8FDB54EFA8C4957ECBBB1FF95305F1101AED448EB296DA35A982CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3EF5C4 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 13b5d12174d71361e40b34d5fc5fff2f4a680fbb61702e47d1340a77d73c7852
                                                                                                                                                                                                                                          • Instruction ID: 3d5fefb513937a3c45f81a402b029fcb6b8da1caef96a1b329c8151df3f999a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13b5d12174d71361e40b34d5fc5fff2f4a680fbb61702e47d1340a77d73c7852
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17516571F1591D4FEBA8EB5CC8A97A8B3E1EF58350F1001FA941DD32A6DE346E818B40
                                                                                                                                                                                                                                          Function 00007FFD9B5F000A Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1ffb7a1f81a57c6c1c9bd5a4c372595dbebf6c43f1df17cced4edaeb90eb7a68
                                                                                                                                                                                                                                          • Instruction ID: 720072598e817386b4fe4851cc98f810100554b148e38a1e3bee26d0c4bbc80d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ffb7a1f81a57c6c1c9bd5a4c372595dbebf6c43f1df17cced4edaeb90eb7a68
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B411531B0FA4D4FE7AA9B6C58766787BE1DF55610B0E00BBD449C76B3DC19AC028341
                                                                                                                                                                                                                                          Function 00007FFD9B5F8660 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 10f921d50e0e7a612057e8fa7a4cf3b4566b79aa35aa028b72f04258afbaf57f
                                                                                                                                                                                                                                          • Instruction ID: d0a9b7468f912812691fe9032a268e79e7c0f0a1269da528e387a0f0dac8c31d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10f921d50e0e7a612057e8fa7a4cf3b4566b79aa35aa028b72f04258afbaf57f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF512932B0EA494FD7A6D66888257A6BBE2EF95300F0900FAC04DC75A7DA299C45C781
                                                                                                                                                                                                                                          Function 00007FFD9B3E2F45 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a66da0ff5a3175558dad79aba9535e7ae8e1ca9b4e6ff4cefd08eae7b87405d0
                                                                                                                                                                                                                                          • Instruction ID: 544ccb953667c3e8facc503382833c8cfe09f11a8711bc8471477eb4d8ca2137
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a66da0ff5a3175558dad79aba9535e7ae8e1ca9b4e6ff4cefd08eae7b87405d0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88510870E19A0D8FDFA4EFA8C854AEDBBB1FF69305F11116AD40DE3291DA34A941CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3F59D3 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e275bf520a48551bf46626af69e01d05d7565cbe9df25879aaf5ee95b5912714
                                                                                                                                                                                                                                          • Instruction ID: 61b52711da2bdf5cd7876e9858007066edad6caeba476289c60e7583a15fc1ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e275bf520a48551bf46626af69e01d05d7565cbe9df25879aaf5ee95b5912714
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0341F462B1FB951FE756B7B898626A57FE0EF42219F0A01FFD089CB1E3D81858458341
                                                                                                                                                                                                                                          Function 00007FFD9B5F1A43 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3305ad5c805d2ce36c3e7ab474eab26d0d34151ded11aa53846ebd9798f4fde2
                                                                                                                                                                                                                                          • Instruction ID: eb816c22b24d68fe2d68fdc9931598fa288bc81593c367dffa5049141e0825c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3305ad5c805d2ce36c3e7ab474eab26d0d34151ded11aa53846ebd9798f4fde2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E341E721B1ED4E4FEBE9E75C50647B5A7C2EF98210F1501BAD44EC76B7ED18AD428340
                                                                                                                                                                                                                                          Function 00007FFD9B3E2F38 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e39e41696b1c7c749360102c790f98bd5d530767c7b18e065ba2870ef67a567e
                                                                                                                                                                                                                                          • Instruction ID: fddc601429e101d065d53a0d855d5308f5a98d056d5dc1db6c6e6c46f372cc4d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e39e41696b1c7c749360102c790f98bd5d530767c7b18e065ba2870ef67a567e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F410870E19A1D8FDF64EFA8D454AEDBBB1FF59314F11116AD00DE3291DA34A941CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3EB925 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5411b19f332d3f7b610e1247d66d7c65087c96b7909c9456feb1d4cc23a9e33d
                                                                                                                                                                                                                                          • Instruction ID: d02e551b2b3211da9e2993bbce2a27e50c9a63fbd182333a208ba78472ab1b34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5411b19f332d3f7b610e1247d66d7c65087c96b7909c9456feb1d4cc23a9e33d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D413632B1D6050FD729FBACE8B28F97BA1EF5532431402BAE0DE8B4D7DD1474868685
                                                                                                                                                                                                                                          Function 00007FFD9B3EA010 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e3027274f58db64ad64de9c18f4f2f49bd23fcaa99c2246aad43f4cc599251c5
                                                                                                                                                                                                                                          • Instruction ID: 214bb0f76ee7812a5bbf4caf1afd1b02150b82ee0b3455c93802300cf13d0664
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3027274f58db64ad64de9c18f4f2f49bd23fcaa99c2246aad43f4cc599251c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5841B03071EA498FEBA5EB2CC0A4F667BE1EF54300B0645ADD04AC76A6CE25F845C740
                                                                                                                                                                                                                                          Function 00007FFD9B3E04FA Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e59d2926e31197daa4411fb273e8418e77930ba3b004fdc700c7cb8140c9ca14
                                                                                                                                                                                                                                          • Instruction ID: 2be17873cc67fe0de0d76a4434c34f5a9ae7c3a673b3df5d00ff44482301fe83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e59d2926e31197daa4411fb273e8418e77930ba3b004fdc700c7cb8140c9ca14
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B51B070E09A4D9FDBA4EFA8C8957FD7BB1EF55304F14007AD009E32A1CA395944CB41
                                                                                                                                                                                                                                          Function 00007FFD9B3F0210 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cac00cf49ff2f47241f933f100957e706eddaad3cb12b2eab82d7797bab29ae2
                                                                                                                                                                                                                                          • Instruction ID: ee7561acbee0d96e400953fa1a6d70ae24e9ed6f2ccf4865384a4b4ff783050b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cac00cf49ff2f47241f933f100957e706eddaad3cb12b2eab82d7797bab29ae2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84419730B19A4D8FEBA8EF58886557A3BD1FF98310F51017EE40DD3295CE35E9018781
                                                                                                                                                                                                                                          Function 00007FFD9B3F4BF0 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fabb0d3b29426a23e7946371443a8fda78202b8e536893b878ac40275d58d814
                                                                                                                                                                                                                                          • Instruction ID: a7d91921356fdeadd867191a45da3f483221c8eb9d46b59a49dbc8046a93e57b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fabb0d3b29426a23e7946371443a8fda78202b8e536893b878ac40275d58d814
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F41D621B1AD5D4FE7A9F76C9464A797BD2EF99240B0901FED04EC32A6DE18AD068340
                                                                                                                                                                                                                                          Function 00007FFD9B3E3C3D Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 63ed47c0ad5c4131a97451114d4b1a757b3d7b92988e167ea5efb2ed7df54b9a
                                                                                                                                                                                                                                          • Instruction ID: c8d95fceb151d9f58d283efd88ec6d5746c6d5579658febb71877b5c0f3e44dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63ed47c0ad5c4131a97451114d4b1a757b3d7b92988e167ea5efb2ed7df54b9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F441AD71E0A64D8FEB65EBA8D8556EDBBE1FF54300F00017ED049E72A2CA396905CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3E3048 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 427aa70f8762e9cc75c4fefc13ad41ad7d7763a9e5be932658f29fe3f9a0ed36
                                                                                                                                                                                                                                          • Instruction ID: eb5690b6705e6c3228bc14b59854c38ecc72b367ca66b2ef448f7b05e0ac7fc9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 427aa70f8762e9cc75c4fefc13ad41ad7d7763a9e5be932658f29fe3f9a0ed36
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7041D271A19A4D8FDB98EF58D855AEE77E1FF98314F04017AE409E32A5CA39A841C740
                                                                                                                                                                                                                                          Function 00007FFD9B3F2CA8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c4761b1009e767dc5ea55af533d084dd4bb478c67312804cb48e9d968aea9807
                                                                                                                                                                                                                                          • Instruction ID: cb916e9060778fd253a71bd648e63d0290426d6a4f2a6aa229c5c2033f5947c8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4761b1009e767dc5ea55af533d084dd4bb478c67312804cb48e9d968aea9807
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC31C362B19D5E0FF7E4F66C942D2B93BD0EB98320F05057FE84DC72A5EE5899424382
                                                                                                                                                                                                                                          Function 00007FFD9B5F6FC5 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 468eae704690e48219dc45ac1d2f01fd75cd76cf564ddf2c2b809fb2ada0bb23
                                                                                                                                                                                                                                          • Instruction ID: 45abcddc5db55fd9ef8b6db394f630782af991bc2062f56470917070756eecb1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 468eae704690e48219dc45ac1d2f01fd75cd76cf564ddf2c2b809fb2ada0bb23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84412A71B1FA4D5FE7A69B648465BB9BBA1EF90304F1501FDD00A871F7DD29A9028380
                                                                                                                                                                                                                                          Function 00007FFD9B3E5768 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e03cc5b255d466b472707cdf3b12c588e3f3b31f48b796b123d84769627d06da
                                                                                                                                                                                                                                          • Instruction ID: f959a66f57e269dae02a547c5b34ce12939ebad9cf237ade2a202ac13cd555c4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e03cc5b255d466b472707cdf3b12c588e3f3b31f48b796b123d84769627d06da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F41E475E0AA1D8FDB54EBA8D4216ECB7B1FF4A311F12007ED009E72A2CA796801C740
                                                                                                                                                                                                                                          Function 00007FFD9B3E35C0 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 06e6a3f4a7b3b2c1b8722b80c6daf555964aa9a3c2bd0e720cd2e95de3a410ef
                                                                                                                                                                                                                                          • Instruction ID: 75120790ce79367813ad3add4511c56628703c41bd3295492cf703c81855b879
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06e6a3f4a7b3b2c1b8722b80c6daf555964aa9a3c2bd0e720cd2e95de3a410ef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD4119B1A0F5485FD766EB7898653A9BBA0EF52329F0501FEC049DB2F3DA251901C740
                                                                                                                                                                                                                                          Function 00007FFD9B5FCB69 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 34755918e9f2e4b70183ee98979362252397ecd0b85e836b6cf406ff9cd3c027
                                                                                                                                                                                                                                          • Instruction ID: 42a5ccfc9dded0637b17ab055720cc09236f887db45c7729b646d7b746e55b3d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34755918e9f2e4b70183ee98979362252397ecd0b85e836b6cf406ff9cd3c027
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4941253060E68D5FD7A6DB788865BA2BFE0FF42308F0904F9C059CB1A7D629E941C790
                                                                                                                                                                                                                                          Function 00007FFD9B5F030D Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0e9128f2fe62f0b5789c649c001484529982f15c59e89276e90b990a194c5039
                                                                                                                                                                                                                                          • Instruction ID: 53db4f42b9709b39c312963950c845b65b24dcbec04eebd8f2a5ffb3df1b7a9b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e9128f2fe62f0b5789c649c001484529982f15c59e89276e90b990a194c5039
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74316722B0FA8D0FD7EA9B6C58746B5BBD1DF9961070E01BBD089C76E7DD08AD428340
                                                                                                                                                                                                                                          Function 00007FFD9B3F5138 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5242a449d3f6764c3df8692c29af2ad17620c2ee376f8c1a01653677ffd593f6
                                                                                                                                                                                                                                          • Instruction ID: bbdd39797af858d78d2f9eaf697f77706d9b5440134d7ee8147e491f5a413f11
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5242a449d3f6764c3df8692c29af2ad17620c2ee376f8c1a01653677ffd593f6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5441B33071DE498FEBA4EB2CC0A0F7577E1EF54300B0645ADD08AC76A6CA25F845C740
                                                                                                                                                                                                                                          Function 00007FFD9B601A65 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 954d43f5b4da4b689d6a38fe3aa97e82a8bd618964152af22026ea5d79be4a6e
                                                                                                                                                                                                                                          • Instruction ID: 83283f4a64e79da78a8484b36606575cafb0ef2b5c039ab4853ce8e310efe785
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 954d43f5b4da4b689d6a38fe3aa97e82a8bd618964152af22026ea5d79be4a6e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9310720B0DB580FE7649B5D98657767BD1EF86B10F0502AFF489C72A2DB14BC4187C2
                                                                                                                                                                                                                                          Function 00007FFD9B3EAE00 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a0b38be27919c80fef864feecc7a40c11ead9e5ad235ceacecb1fff0f97ca2da
                                                                                                                                                                                                                                          • Instruction ID: d6fe2a3f51ce78dfc37a5fae2b59a3493a8ed2a376a72ca340a3f47b8ed16b47
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0b38be27919c80fef864feecc7a40c11ead9e5ad235ceacecb1fff0f97ca2da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D310A22B2EE8E4FE7A9E76C84755A977E1FFD525070941FBC08ECB1D6ED18A8024341
                                                                                                                                                                                                                                          Function 00007FFD9B3F3E77 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f52134cf915f48c3ec7ffb788358389df92bec40ba78bad844a618ab46dcb849
                                                                                                                                                                                                                                          • Instruction ID: afce0a0885754c299361dce56f6708b7828f43ae3b1a2625154b9fec4d87d433
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f52134cf915f48c3ec7ffb788358389df92bec40ba78bad844a618ab46dcb849
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C731353272E9280BE328EA5CE86A5F577C0EF98365B0001BFE489C32A2CD156C4683C1
                                                                                                                                                                                                                                          Function 00007FFD9B3E84DA Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1576a1237b6a51762ccc5f5b652ec156dd3cc55c1c0ca40a3583c9bf01d6bc49
                                                                                                                                                                                                                                          • Instruction ID: 927da44dce4b9969e355c33b6c0c10b9776e44a70c115d9810f826fd27a4fa08
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1576a1237b6a51762ccc5f5b652ec156dd3cc55c1c0ca40a3583c9bf01d6bc49
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A841C271E0AA4D9FEB55EBA8D8656EDBBF0EF15310F4401BED049D71E2DE3825418B40
                                                                                                                                                                                                                                          Function 00007FFD9B600976 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5bd0abfd835af6d2ee525dd69b8bf7a19b874d45c5bdf2990aae900a4a37152f
                                                                                                                                                                                                                                          • Instruction ID: fd1400253c3d3791ff26bad40c13098fdb5445876a09ecb6bfb8f322b1632bf8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bd0abfd835af6d2ee525dd69b8bf7a19b874d45c5bdf2990aae900a4a37152f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE319271B1DA0E4FEB98EF588461AB973E2FFA4700B104079D05AC7297DE25F8428780
                                                                                                                                                                                                                                          Function 00007FFD9B3F0248 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7ff713a36fd2933a168ca034f89c0f407b2f6e6e8803fb9ac626140378e7a81f
                                                                                                                                                                                                                                          • Instruction ID: b740118fba4e0cf351a762d144676982219c6e2047bb4286f1b92a05fbe93e83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ff713a36fd2933a168ca034f89c0f407b2f6e6e8803fb9ac626140378e7a81f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E731C731B1DA498EF7A0E65C9494676BBD2EBA4324F05067FE44CC22B1CA54EA81C385
                                                                                                                                                                                                                                          Function 00007FFD9B5FC785 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: feda9fa232daff5c519748e0bfa93db470a7b5a57c110ceea9ae05e4d12b7bd9
                                                                                                                                                                                                                                          • Instruction ID: 809bf9bed2b2f888f079dd415870019462b3720b4ef464a596935f3a1a8cf6f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: feda9fa232daff5c519748e0bfa93db470a7b5a57c110ceea9ae05e4d12b7bd9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05310761B1AE4F5FEBEE976840756B9ABD2EF64340B4501BDD059C31E7EE18FD018280
                                                                                                                                                                                                                                          Function 00007FFD9B5F003C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71fc55d9cc4b8f50e588d0b995c92722e21364d06c82ca1a9d7fa0f07d1b6584
                                                                                                                                                                                                                                          • Instruction ID: 710c47df260e2c53b71c90931eb16b9cfb258f3eb6d3adbcae7b0970cb7690f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71fc55d9cc4b8f50e588d0b995c92722e21364d06c82ca1a9d7fa0f07d1b6584
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4831E721B0EA498FE7EB9A6C48796347BD5EF55711B4D00BBD489C75A3EC19AC018381
                                                                                                                                                                                                                                          Function 00007FFD9B604AEF Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f1b7dca69ebb5346893cfcbfbb198d3b228a32cbb7e4412047c4475c2237d377
                                                                                                                                                                                                                                          • Instruction ID: 6c497cd35587a2ef4ce7e781ac26f9ee3a9797246b795bc790c6d89b431c9222
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1b7dca69ebb5346893cfcbfbb198d3b228a32cbb7e4412047c4475c2237d377
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B310412B0F68E0FE7B596AB14603382AB0DF5B344F1605BBD09ECF1A6D908BA448721
                                                                                                                                                                                                                                          Function 00007FFD9B3F4018 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1933ad6ca145b5b463084997e9254184f8d8bba31c2b26c33ba508a6e882361c
                                                                                                                                                                                                                                          • Instruction ID: 92fedf3edf604ecb1e515b91be2abaf6b051339cff783b2333c3401d483a10d9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1933ad6ca145b5b463084997e9254184f8d8bba31c2b26c33ba508a6e882361c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7921D522B1ED4E4FFBE8E95C64B57B927C2EF98261B4141BBD80DC3695ED15AD024340
                                                                                                                                                                                                                                          Function 00007FFD9B5FC3C8 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4cddf7d0031abc5d38e7d7f08cf284e13e34a0a1657901d5369fb3382756cf7a
                                                                                                                                                                                                                                          • Instruction ID: 2d69b3db448c2279a4f210a4cb3652b48e23e73c9da3cadbf18485ef875ca6f1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4cddf7d0031abc5d38e7d7f08cf284e13e34a0a1657901d5369fb3382756cf7a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF21F56370DE4E0BEBF8DA5E585067533E1EBA9350711063ED0AEC7295ED14BC028340
                                                                                                                                                                                                                                          Function 00007FFD9B3F6E60 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 37eaa78469e9781a1bd7d9c023c0d1cbdbf44401650c1a599cca155fd5b655c8
                                                                                                                                                                                                                                          • Instruction ID: 8754811c9640b13267613a231ae493e6e13d10d7056be9b32c0408796c31dba2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37eaa78469e9781a1bd7d9c023c0d1cbdbf44401650c1a599cca155fd5b655c8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9031F871A0DB894FE754FB3C8869665BBE1EFA5310F0541BED089C71E2DE24A941C742
                                                                                                                                                                                                                                          Function 00007FFD9B3E04F8 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 01a73233e255e8dd0cdb2811d9f0bdd424896ca4015fe2a1e9277aa82026daab
                                                                                                                                                                                                                                          • Instruction ID: b5d8c119175e5fe214b5d26973e720bf05bec5d309daa5b58eb5a9d1f1e1350e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01a73233e255e8dd0cdb2811d9f0bdd424896ca4015fe2a1e9277aa82026daab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25417B70A0965E9FDBA8EF98D9957EDBBB1EF54304F04017AD009E3291CA396944CB81
                                                                                                                                                                                                                                          Function 00007FFD9B3EA0FD Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f65dd50ca90b27ab73c0a4df9649bb3d3d6c649d3927ce739e81aa7127844901
                                                                                                                                                                                                                                          • Instruction ID: 13fe0a6c49a9d68cac85139ec9357eb4b10f86285f7806965617a4769c42bb80
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f65dd50ca90b27ab73c0a4df9649bb3d3d6c649d3927ce739e81aa7127844901
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF314971B1AA4C5FE7A4EB7C882DBA93FD1EF58315F0501AFE04AC71A3ED2098408740
                                                                                                                                                                                                                                          Function 00007FFD9B3F2B75 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: be87583b9b3beebf9447b5feeaa0bd67d6ddf4055fc1f373a6b2cf56d3d2ba26
                                                                                                                                                                                                                                          • Instruction ID: b11f6a0f9e8155bec15bd78069f174566ed5ec63b6378b7d313f1bd120355508
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be87583b9b3beebf9447b5feeaa0bd67d6ddf4055fc1f373a6b2cf56d3d2ba26
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B213833B4FA5E0AE7B492BE7CB50A56BC1DFC526870D02FBD44CC61A6E84A584387D0
                                                                                                                                                                                                                                          Function 00007FFD9B3E9D55 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 47b8b3f1f8d87fc278949fba9375f14b1d9f0fc4e239487d012cde1c4d071863
                                                                                                                                                                                                                                          • Instruction ID: 751ed775984a150934177db0216e31e11929870e84e81f6dd7437d497216882a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47b8b3f1f8d87fc278949fba9375f14b1d9f0fc4e239487d012cde1c4d071863
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7331C8BA90EAD44FD7929B7C94693D17FA19F97318F1901DEC0408B197E56A4C438781
                                                                                                                                                                                                                                          Function 00007FFD9B5F21C2 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ac9ed1c49ddae27f7c73136b2614df28d71d0961a4660ba767858869f5dac29
                                                                                                                                                                                                                                          • Instruction ID: 5a6c9c5531abe832b45c512f6209680fd3bf374c4f6e12de421822d112b794fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ac9ed1c49ddae27f7c73136b2614df28d71d0961a4660ba767858869f5dac29
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10318170629A498FDBA5EB68C455BAAB7E1FF54300F40097DE09EC31A2DF35B941CB41
                                                                                                                                                                                                                                          Function 00007FFD9B3F6D59 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b51f26ce724c9cbfc34f3f3f8a700703048435b3452420878cb567d8e112231d
                                                                                                                                                                                                                                          • Instruction ID: 9dd0a446ac1e25c3c82c5a8eb0622a0be09b5664baf9154494f9002732aad5cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b51f26ce724c9cbfc34f3f3f8a700703048435b3452420878cb567d8e112231d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B231C562B0FBC90FE362E77C88256647FA1DF56650B0A81EFD084CB1B7D5195D09C341
                                                                                                                                                                                                                                          Function 00007FFD9B604B63 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0a354228d4b1f01d539b76250f3b44dd462e2cd642541d940e144e1a8c2b9068
                                                                                                                                                                                                                                          • Instruction ID: cfda76945a79f2942d7009c9ebe9843c161e54da75c85b827cdd9781042f82c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a354228d4b1f01d539b76250f3b44dd462e2cd642541d940e144e1a8c2b9068
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49210752B0EA4E0FE6B496AF186433427E0EF6A315B1601BFD0AECB2A5D909BD414351
                                                                                                                                                                                                                                          Function 00007FFD9B3EE1E8 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 51268bd0c44ad46d5fbfcdb150f12a925adcf97a5dd0785b9f01da2d8a04e8b3
                                                                                                                                                                                                                                          • Instruction ID: 5ee93acb4f1e93d617e304cd2fd6511595a94cd233a7d750bd6c157090eebd6a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51268bd0c44ad46d5fbfcdb150f12a925adcf97a5dd0785b9f01da2d8a04e8b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61215C31B0CA494FE399FB7884656B93BD2EF99310B0542BFC05EC71EBED1869028741
                                                                                                                                                                                                                                          Function 00007FFD9B3EEAD5 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8ef1bd12a78d1bb0d2906a8d752b164dbe75df8bab7de3f2de6b1392a7282277
                                                                                                                                                                                                                                          • Instruction ID: 9f8245792d18222c1d204f09d72e61e942fd7f6f10b9d042ecd587e27ef02922
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ef1bd12a78d1bb0d2906a8d752b164dbe75df8bab7de3f2de6b1392a7282277
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC21A472A0D59D8FEBE5EB6884652E977A1FF54304F0101BFD40DC61D2DE346A42CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3EBB48 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3f6a4354adb252d4f6408065927e75760650e7c16a91d76d4fb62eefa8b3664f
                                                                                                                                                                                                                                          • Instruction ID: 83bbe4b4b79c25075f166a571a94e6028a59af5b44090d8e9f05cde1bb11f69e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f6a4354adb252d4f6408065927e75760650e7c16a91d76d4fb62eefa8b3664f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B3137B1E0FB8E5FE791EB7488267D9BBA0EF21254F0402BED05A971D3FD6815058B41
                                                                                                                                                                                                                                          Function 00007FFD9B3E2E38 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7e116cf39518624be4737a268c6627b15dd418ac8404df6fa072115936f9e9ba
                                                                                                                                                                                                                                          • Instruction ID: f9f1776383dad338c328cbdc58bc6e99469b082dd4645208835b5b807850502b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e116cf39518624be4737a268c6627b15dd418ac8404df6fa072115936f9e9ba
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69212962A1EACD4FEBA5EFAC9C542E97BA0FFA5200F0501BFD448C71E6DA206901C341
                                                                                                                                                                                                                                          Function 00007FFD9B3F5DCD Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a118baaeab3494d92050dae6230bc363d1f6165cf511b44bb4570f28f8317ef3
                                                                                                                                                                                                                                          • Instruction ID: 38557765748fa8b315d95e6ac7216be3d001c43721801b5328c4f3240af49e12
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a118baaeab3494d92050dae6230bc363d1f6165cf511b44bb4570f28f8317ef3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03115B32B0EE4D0FE7E5E23C68691B53BC2EB9926171601BFD44DC31A6DD159D034381
                                                                                                                                                                                                                                          Function 00007FFD9B3E3AA5 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 26a5f43305972387e323573e1b52f0b0e65e4f368838d9d47f5a00c6daeed213
                                                                                                                                                                                                                                          • Instruction ID: 5219f2443f8c3e9707696cf03eff95334c50d6204f609ccad31a6799fb366a21
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26a5f43305972387e323573e1b52f0b0e65e4f368838d9d47f5a00c6daeed213
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6531CF75E0AA899FDB51EFA8D4256EDBBF0EF55315F0400AED404D7292DA3A9840C740
                                                                                                                                                                                                                                          Function 00007FFD9B3E5201 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e448b96c6bd6d1cd5dbfa492ad3654aa33439ed78e16d43d1fc455789b043739
                                                                                                                                                                                                                                          • Instruction ID: eee07cf97ce40d80cf396344fe48ad374866ac47f523269cc5e49351d63ec03c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e448b96c6bd6d1cd5dbfa492ad3654aa33439ed78e16d43d1fc455789b043739
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A21A1B5D0AA4C8FDB84EF68D8656ED7BF0FF64310F0400AFD009E32A1EA64A841C781
                                                                                                                                                                                                                                          Function 00007FFD9B5FDECC Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc6ef663e1c165403117fa8c105b929eea5df01c43510de74db8cbb72a67bb7f
                                                                                                                                                                                                                                          • Instruction ID: 341331d416c22818702d8bd97ef29df25da96f89111c0d21ad932cdf8dd9878b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc6ef663e1c165403117fa8c105b929eea5df01c43510de74db8cbb72a67bb7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA21F872F0E98D8FDBA1DA989825AFDBBB1EF49310F00017BD018D31E6DE2469418781
                                                                                                                                                                                                                                          Function 00007FFD9B603EF1 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a69a08cce8e0c2a37df9bc206412521d73031ac2b02f242b5ab7af6b800e8cc1
                                                                                                                                                                                                                                          • Instruction ID: d3477b0069565ef17baf41ff1569273b872ec7b016f0e3662292752b844b8390
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a69a08cce8e0c2a37df9bc206412521d73031ac2b02f242b5ab7af6b800e8cc1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D221A23170DE4C4FD794DB6D98A86643BE1FF9E31171A01EAE09DCB2A2D911EC42C741
                                                                                                                                                                                                                                          Function 00007FFD9B3E425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                          • Instruction ID: 002a60cdc9a440b049c487f3b0b7b57de18d006681b57fb7c8a71ad9abfe2ce3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D219D3188E3C94FD3239BA068225E97F789F03211F0B01EBD08CDB4A3C52D569AC762
                                                                                                                                                                                                                                          Function 00007FFD9B602BAD Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c89875927aa37329a3871a208db4f3374d1dce14a8dce90f17d114c21598f014
                                                                                                                                                                                                                                          • Instruction ID: 4bb1328eaffa29fdb4cd365a8b9717ab3d649be76b6d8e148cfae7f4b1c68a83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c89875927aa37329a3871a208db4f3374d1dce14a8dce90f17d114c21598f014
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6821DA71F0AA8C0FDBA0EBA948652E97BE1FF59311F4600BBD44CD7162DE186C418751
                                                                                                                                                                                                                                          Function 00007FFD9B5F727A Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d724715531e9bdeac7ebc2b22f237c6daa3fc21f756edbf27d30a06e0b6c496b
                                                                                                                                                                                                                                          • Instruction ID: 9386ac46b1b52aa24981dda7b97f3704f7eb651468d62a3ce48d2c1a820db4a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d724715531e9bdeac7ebc2b22f237c6daa3fc21f756edbf27d30a06e0b6c496b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3212971F1EB0D4EEBB5A65894627F97BE1DF54310F4101BEE40A835B3DE25A9418281
                                                                                                                                                                                                                                          Function 00007FFD9B3E89A5 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 327256129eb79d49d93be95308807dc704e42d2eb9000c3bee91beb097e5e2ed
                                                                                                                                                                                                                                          • Instruction ID: 04f8419934fb07ae6e16bc974e7c1ffe56566c2567e600bd7ca2cc1e15d4eda8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 327256129eb79d49d93be95308807dc704e42d2eb9000c3bee91beb097e5e2ed
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D210834D0E64E8BDB74EEA4A4506F8BBB0EF42314F15037ED40CA71A1DB359A85CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3E4F67 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3d781acb7147c541076dcdaa2ddb0d1c2becd58c39fdb5f4cfe33075bad18a00
                                                                                                                                                                                                                                          • Instruction ID: 11a91c0f655153994193d65d66c25c0828bf3cc8a8153e58fcff39b288ab4623
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d781acb7147c541076dcdaa2ddb0d1c2becd58c39fdb5f4cfe33075bad18a00
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1021A234E1F64D8FE764EBA498693BDB7A1EF5A704F41047ED409971A2CF7929408B40
                                                                                                                                                                                                                                          Function 00007FFD9B3F549D Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb3e8d95391821857e0de2ffdaace48ad17f5e72a7bc94a884f601a7ae7b41d7
                                                                                                                                                                                                                                          • Instruction ID: 2eb211367c4bd2134397f8abc1d8df9903c4ccf45a69c13670e3f9138be3ac7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb3e8d95391821857e0de2ffdaace48ad17f5e72a7bc94a884f601a7ae7b41d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8111D631B0EA4D0FE798DA5D9865A757FD1FB55325B0601BEE40DC71A3EA19D9028340
                                                                                                                                                                                                                                          Function 00007FFD9B5FC974 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d647161a97ab1f33bc371587483656bc6ec1d0213f6243732e958fd5554dbfbe
                                                                                                                                                                                                                                          • Instruction ID: a835f64087672e6cc9a4e9450e1b13102aa7d5cb058ed70ccdb658265b6bc362
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d647161a97ab1f33bc371587483656bc6ec1d0213f6243732e958fd5554dbfbe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F511C8A2F1E91E0AEAF9569C34612F9A7C2DB94A6070142B6D44EC35DBED15BD030584
                                                                                                                                                                                                                                          Function 00007FFD9B3F4BD5 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 507da4890c1c625662184e7a1ea2eaa0497c2b08d7668bf67e79eaaad1bb00c3
                                                                                                                                                                                                                                          • Instruction ID: 5d84932b8b1b690737b13b72c561fcb6f5f2bb111d6a50f0d386970beb096fe3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 507da4890c1c625662184e7a1ea2eaa0497c2b08d7668bf67e79eaaad1bb00c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9321A93071DE8D4FD7AAE3688060A79BBE1EF95204B0941BED08EC76A7CE18B945C351
                                                                                                                                                                                                                                          Function 00007FFD9B3F3400 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 15b763dafe9ced628f21e6ec1f43830a993c9d7965ca3aab2e3a8de6c5113297
                                                                                                                                                                                                                                          • Instruction ID: 22d4bcd086ff9a6a1ba48936218b9e3abd337c91bdb504115e49e40a3a108e62
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15b763dafe9ced628f21e6ec1f43830a993c9d7965ca3aab2e3a8de6c5113297
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0711E932B1AD0E0FFBE8E55C64A46B567C2EBE8265B16013FD45EC32A4DD15E9434380
                                                                                                                                                                                                                                          Function 00007FFD9B3F60D1 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 50980ecca4d779bc5f5c604e5b8865991d14aa3104bb4552d1c5e7ebfbb2c60b
                                                                                                                                                                                                                                          • Instruction ID: 43963f2b431b37637a2e45a0c6e5311fb0a29d97d15cb27ff0402d3df7b231a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50980ecca4d779bc5f5c604e5b8865991d14aa3104bb4552d1c5e7ebfbb2c60b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83119132B0EA490FF7E595AD6CB61653FC2EB9960075640FEE44CC72B3E9159D06C341
                                                                                                                                                                                                                                          Function 00007FFD9B5F47B5 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 60a05421d46291a60ae14d55c379be4dc106b325c77b51d30695e4b437e33603
                                                                                                                                                                                                                                          • Instruction ID: 76dc33adad2597fe1b73e7108701dfa34ffe85ab73fac14e4f5a54ccc286ee79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60a05421d46291a60ae14d55c379be4dc106b325c77b51d30695e4b437e33603
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1321D23070A9894FDAE6E7AD84746397BD1FF99200B4601BED08EC76B3DE19AD41C341
                                                                                                                                                                                                                                          Function 00007FFD9B3F7136 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 01b7903b2cc01a6490bed986afe76653227cde3dec1fec04f4f683fbe6eb016e
                                                                                                                                                                                                                                          • Instruction ID: 1a98869e91ddc515e768802683d5eaa950f70bbf6bf84627557cd2f98db578b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01b7903b2cc01a6490bed986afe76653227cde3dec1fec04f4f683fbe6eb016e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1211727160D7885FE778DF288418BA67BE1EFA9311F01457ED48DC3262EE3469458742
                                                                                                                                                                                                                                          Function 00007FFD9B3F60F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 641641a477d15b021ce5b7577724dfa2c871c594c2f4344574914ba48e94247e
                                                                                                                                                                                                                                          • Instruction ID: a3e6346cf287cbce381c7932c96f39d039541431bf7a2facbd9be0f370ca3a67
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 641641a477d15b021ce5b7577724dfa2c871c594c2f4344574914ba48e94247e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E711E532B0FD4D0FF6E494AE3CA61753AC6DB9961174641BFE80CC7276DC129C42C281
                                                                                                                                                                                                                                          Function 00007FFD9B3EBE16 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8aec161eadc256827ff9a2a03cbcd588cafcd9a394d252064bd4894bbac98cc0
                                                                                                                                                                                                                                          • Instruction ID: b8f8a2a78b0896a3cd23ba7fc3e62b9b9dae69b583ae83a8f520edcc46516b03
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8aec161eadc256827ff9a2a03cbcd588cafcd9a394d252064bd4894bbac98cc0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29110D6260EEC90FD766E75C54E52F477D1EBE969070901BBC44DC71A3ED1869478340
                                                                                                                                                                                                                                          Function 00007FFD9B5FCB90 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a2a7b5067da3e678b9a331298eeed87cb5fb933aa05dbfa04b03a2e33cba1112
                                                                                                                                                                                                                                          • Instruction ID: fbc71521447bf5920057d06241315cfe92d430f8736b5721bec6c672d8bcb3c4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2a7b5067da3e678b9a331298eeed87cb5fb933aa05dbfa04b03a2e33cba1112
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D221347070B60C5FD7A5EBA8D859BB6BBA1FF85308F0404F8D01ACB1A6D639A850C790
                                                                                                                                                                                                                                          Function 00007FFD9B3F4090 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4b2efb5d5c0433251ab559dfdf89ed2f35f7103b5950bc84bd9320c509223436
                                                                                                                                                                                                                                          • Instruction ID: a24e2965b26e0c39c91f8946e2892da0465e436c0c10b113c24360c4226f332c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b2efb5d5c0433251ab559dfdf89ed2f35f7103b5950bc84bd9320c509223436
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9911861270FAD90FE372E6AD68755A6AFA0DF9616030A01FFD089C71A7EC142E098351
                                                                                                                                                                                                                                          Function 00007FFD9B3EE928 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 99cdea7b1b8ce4d69bf53708ed6cd4e2516dd6311b6f08fb3ec68e9bab3d5a6b
                                                                                                                                                                                                                                          • Instruction ID: aee5668e61a819fe685ce1e37d25ba04c5ecc062ea3e9b0a6985628317bf04d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99cdea7b1b8ce4d69bf53708ed6cd4e2516dd6311b6f08fb3ec68e9bab3d5a6b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 191105A2B0FAC90FF3A1E62C98547A57FD2DF96650F1940FED048CB1BAE915AC09C340
                                                                                                                                                                                                                                          Function 00007FFD9B3F5312 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8e911f96eae1bf1abc171875dbdb15c75b0ab5688473f03561f2e7c2befd2fb2
                                                                                                                                                                                                                                          • Instruction ID: 05d02a12430b27150fb7c382c6ccb97a5ff8bef4a72eece0ac07a0172527c6fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e911f96eae1bf1abc171875dbdb15c75b0ab5688473f03561f2e7c2befd2fb2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22119E62B0EE0E4FFBA8EA5CA0643A467D1EBA8251716017FD00EC35A5DE10AC068740
                                                                                                                                                                                                                                          Function 00007FFD9B3ECEAE Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1183d287025a5065172b2d0a40f73cfff49d389bfae18acffb244bdd858a1452
                                                                                                                                                                                                                                          • Instruction ID: 215381bfcde2337eb803002e4b4dd36550b774cc1a4327b6e089da8e785a5100
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1183d287025a5065172b2d0a40f73cfff49d389bfae18acffb244bdd858a1452
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8111231B1D91D9FDB68EB5CA86666C77D1EF98711B4101AFE049C32A6CE20AC0287C1
                                                                                                                                                                                                                                          Function 00007FFD9B5F47D0 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8ea50892b11006df2246336039f94a303a33e16ad31c7321e7a32ce6a1e2244b
                                                                                                                                                                                                                                          • Instruction ID: 9711d8045c22d27159f065148393ab0c98f214a36a5596853156b70448acc8b1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ea50892b11006df2246336039f94a303a33e16ad31c7321e7a32ce6a1e2244b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA11913070691D4FD9F5EB6D8468A3A76D1FF88300F56017ED04EC36A2CE15AD41C380
                                                                                                                                                                                                                                          Function 00007FFD9B3E70F0 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6717e6753874e788e0c6803d41295b808ffc6722453164ab4c7c1bc607f235f4
                                                                                                                                                                                                                                          • Instruction ID: 7ec70afcec32f9cbb1fa3940ad3d498a5d40d823a01eba5911272ee6e61797d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6717e6753874e788e0c6803d41295b808ffc6722453164ab4c7c1bc607f235f4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F61180B1E0EA485FE768DA7C481D67E7BE0EF99215F04007FF44AC71E2DE2458058681
                                                                                                                                                                                                                                          Function 00007FFD9B3ED965 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9b1cfc9dfc12b00ed028e9e72745adfdaa3e248f4c6ab9fc09ca103c3ba27821
                                                                                                                                                                                                                                          • Instruction ID: 9d448c1aba704378e9db2be4514287c033fb122adef0dea7f2bd7a161845374c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b1cfc9dfc12b00ed028e9e72745adfdaa3e248f4c6ab9fc09ca103c3ba27821
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB118C7150F7C84FD706EB688C64A507FF0AF27200B0A41EFE088CB1B3DA299949C712
                                                                                                                                                                                                                                          Function 00007FFD9B3EA038 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 259daf881d1b2f1ada3200022536a493210a0ca2c9b67b03dcc5164e3430de9b
                                                                                                                                                                                                                                          • Instruction ID: c7e28107a6e7810d3438c9c3d02081ca34ed487d8774b5929c60d6d81b7fe0ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 259daf881d1b2f1ada3200022536a493210a0ca2c9b67b03dcc5164e3430de9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0101C4347199094FFBA5FA6CA4247F43BD0EF19310F0500EAD449CB2A2D9199D868780
                                                                                                                                                                                                                                          Function 00007FFD9B5F0EB8 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 49b1442647149c1c662024ad7c9b960f5cf548b8aa70a60a805a34426c06b4c2
                                                                                                                                                                                                                                          • Instruction ID: a66cc0c80375fd0d807ccbcc7249b2536386c1028f0a7517a7fc8edd8dc209c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49b1442647149c1c662024ad7c9b960f5cf548b8aa70a60a805a34426c06b4c2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA014932B1EE4D0BDB999A5D18A1634B7C2EB8C61434D017EE14DC36A7DD15FC418381
                                                                                                                                                                                                                                          Function 00007FFD9B3ED33D Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a67b72dc4b5eb054ecf77dd91aa18d49728f35913a27e37119e079479787dd35
                                                                                                                                                                                                                                          • Instruction ID: 77f0371024ed8a462e3729561af50904aff56d62025631e4a97669f02ac71198
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a67b72dc4b5eb054ecf77dd91aa18d49728f35913a27e37119e079479787dd35
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F112322B2DE8A0BD365E378A421BE5ABD1FF94200F44457FC0DE861D3DEA875458341
                                                                                                                                                                                                                                          Function 00007FFD9B5F6822 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4f379fb612ca103f513ac35f9ed1ea498af38a926f8529efa57c0d33381e7cae
                                                                                                                                                                                                                                          • Instruction ID: de2be6460065fd82088d480bac0544655bee11cf6f37d3e5573e3d8ee401025e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f379fb612ca103f513ac35f9ed1ea498af38a926f8529efa57c0d33381e7cae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0012B73B0E6894FF7EA86A854562A4BFE1FF52214F0500FFD086C7463E9196803C740
                                                                                                                                                                                                                                          Function 00007FFD9B3E748A Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bdf9890c87ef4a19499e317b9a018909662e91cb904b2c699fa8ea47c6da70f0
                                                                                                                                                                                                                                          • Instruction ID: 0ebe446e0adb6b8ff87e4a2e843f1386174321b58f9ff1dea9344de4ed3ab5f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bdf9890c87ef4a19499e317b9a018909662e91cb904b2c699fa8ea47c6da70f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9311B375E0991D8FDBA8EF9888A57BCB7B1EF59311F0151BAC00DE3252CA306981CB40
                                                                                                                                                                                                                                          Function 00007FFD9B5F8B34 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 30ec6dd3c7a6b34cb12df3090bd3de76bdfb6f16d143f0bc82383e210c1fe93e
                                                                                                                                                                                                                                          • Instruction ID: 9cbe0b9f61fbd91a1076cc9c12fc5af9ad09efe0823542c7ea434037899fe568
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30ec6dd3c7a6b34cb12df3090bd3de76bdfb6f16d143f0bc82383e210c1fe93e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2601B521F1C90D4EDBE8DA6C9C61BA8B3D2FB9C354F0540B6D11DD3296DE25ED428741
                                                                                                                                                                                                                                          Function 00007FFD9B3EAEEC Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ce6f84ead87a3d55e3e43836b83476a09b58ac21670db08c774a42efd1ba9126
                                                                                                                                                                                                                                          • Instruction ID: e57026706fde1403f8c4dceef9e66efaebb878a1820d572e6ecd57379fd7c4c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce6f84ead87a3d55e3e43836b83476a09b58ac21670db08c774a42efd1ba9126
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC01D631B2DD0D0FEBE4EA9CA86066573C1EBD8320B05067BE44DC72A6ED15EC014391
                                                                                                                                                                                                                                          Function 00007FFD9B3EA650 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 52604710402f2720758ac2488a870f9d43656152ea91fdc856a18c4663784eb8
                                                                                                                                                                                                                                          • Instruction ID: ac1ed646b0ba094698a97b01f614c604b88e0e4eb0dc1f0dbaf7d9dcf4234194
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52604710402f2720758ac2488a870f9d43656152ea91fdc856a18c4663784eb8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E01A231B1D90D0FD6A4EA9CA85467633C1EBD8320B01067BE40DC3266ED15D8418391
                                                                                                                                                                                                                                          Function 00007FFD9B3F8413 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 10d3cf0ead02dc379fa2eefe5d1927798f07189de72dfd3dfab5b8c8dbefac9e
                                                                                                                                                                                                                                          • Instruction ID: a93e6d01316370d86110394b3f64bc95f50d337e1b3c1551fa45127f89307112
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10d3cf0ead02dc379fa2eefe5d1927798f07189de72dfd3dfab5b8c8dbefac9e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17018632B4DC0C8FEAD8EA1CA495A7077D1EBA932035506EAD44DC7262D911EC424740
                                                                                                                                                                                                                                          Function 00007FFD9B3F79B1 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0520558b4a7925ddaa52f609d7c60d766c9d3692bee9a62ef88e523d02d851f1
                                                                                                                                                                                                                                          • Instruction ID: 2a0d800b8ea059e5cc867261f8e873599698ede6abba06d12247d8e11d67316c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0520558b4a7925ddaa52f609d7c60d766c9d3692bee9a62ef88e523d02d851f1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14F0BB3270D5880FE764A55CAC5E9727FD4EB6613131601FFE449C7273E9429C068354
                                                                                                                                                                                                                                          Function 00007FFD9B3E0C7D Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 980a0077667bbb0db324a8e490b97287a1c2ba3b79c19bb85b247ddf8e34dfce
                                                                                                                                                                                                                                          • Instruction ID: f2df2506b542dc921c2aeed7b09126de80349392d8feec25c044097fc2258e59
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 980a0077667bbb0db324a8e490b97287a1c2ba3b79c19bb85b247ddf8e34dfce
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C411067590B7899FE725EB7488223AA77A1EF41301F0500BFD015EB1E2EA395A058741
                                                                                                                                                                                                                                          Function 00007FFD9B3E9CE0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 892480b1ccaa3d5550b629db71cccb0edf9f09fa8940359f0976c11038011ee6
                                                                                                                                                                                                                                          • Instruction ID: 90cfb14f12017e753ee9c6543715296c10ca4516483072b40df0cbd0fc894c24
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 892480b1ccaa3d5550b629db71cccb0edf9f09fa8940359f0976c11038011ee6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89012B13B1EA690BE329F37DF8A65D4BF90EF8123070952BBC008CA1D7DC5466C54381
                                                                                                                                                                                                                                          Function 00007FFD9B3F4B5A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 54dbc06dc9a3be4269ecff914f2ae1ddc2917c58e9c7b7a2bcb5769bd002ea0d
                                                                                                                                                                                                                                          • Instruction ID: e240508e2c7560ae357bff7c685f3e0fae3276debc047a9d8040f438f89916c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54dbc06dc9a3be4269ecff914f2ae1ddc2917c58e9c7b7a2bcb5769bd002ea0d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8301D230A0AB494FE7A5EB6880597A6BBD1EFD4315F044A3ED889C7371EE3895418741
                                                                                                                                                                                                                                          Function 00007FFD9B3EAE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c17cfa16bd4c04718f87a6d43837f99ec16bc818cf772d1b79281356b0855783
                                                                                                                                                                                                                                          • Instruction ID: 601c8babadba899b369e2339111cef49d3b9aaf2cb10007f8f265029cdb670a3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c17cfa16bd4c04718f87a6d43837f99ec16bc818cf772d1b79281356b0855783
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D016721B25D4E4FDBA8E71C80609A673D1FFD4300745457AD44EC3299DE15E8418380
                                                                                                                                                                                                                                          Function 00007FFD9B3ECCB7 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 676b366203020fd6f27f07379c11cdbf7e02ce4dd1c83b66bb4dce7f42e5131d
                                                                                                                                                                                                                                          • Instruction ID: d4067eb45caa62cce81b9db465b321f4ce76370d2a1b4f95a798b4dd99af4708
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 676b366203020fd6f27f07379c11cdbf7e02ce4dd1c83b66bb4dce7f42e5131d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB01F521629F4A4BC364F3389414BE6A2D1FFD0300F41457ED09EC7296EEB875458391
                                                                                                                                                                                                                                          Function 00007FFD9B3E4228 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                          • Instruction ID: ff3ea00e79624447bed395601a40457f44753bfc097d4bf8dc864bb5cd71c30f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98F0A935E4950C8BEB20AE94A4002F8F7B4EB86354F01203FD00CA7250D73A9A95CB48
                                                                                                                                                                                                                                          Function 00007FFD9B3E8A22 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                          • Instruction ID: 2950ed9ea3a6427f2444ff2c716773f9902ae8b2726b9e4c700a01d32797705c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF0CD35E4960E8BD720EE94B0002F9F7B4EB82310F01223BD00CA7250D73ADA96CB48
                                                                                                                                                                                                                                          Function 00007FFD9B3EBF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc554d4f9164f493f5d30c64e7282076698cc3d443764667c9fc6da40a0c1904
                                                                                                                                                                                                                                          • Instruction ID: 151906aba53e15ed17b75564cc27bea93a724c2a949e25e907c75f984d93c6cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc554d4f9164f493f5d30c64e7282076698cc3d443764667c9fc6da40a0c1904
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6801D631B29D0F4FDBA9EB1C90A09B6B3E1FFA8300744467AD01DC7299EE24E8428741
                                                                                                                                                                                                                                          Function 00007FFD9B3F3230 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4ed6bfdadcc460d893ead34601ade7b1451adb1389b84027c79d7add11a2e601
                                                                                                                                                                                                                                          • Instruction ID: af410b5de6db6aa427cfe5a4c982f95a08b8665760383e7d5dd63e58063f9359
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ed6bfdadcc460d893ead34601ade7b1451adb1389b84027c79d7add11a2e601
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A101B130A0AB098FE7A5EB2890597AA7BE1EFD4315F04497EE889C3371EA3895418741
                                                                                                                                                                                                                                          Function 00007FFD9B3E4B89 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 06aa0569a63737bed06b59bc55523946933e77852dc0dfa6c7b6565910185859
                                                                                                                                                                                                                                          • Instruction ID: b100a467bd6744826f1bf3e8724116b62b97df2475e4c5e840954f8232af0357
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06aa0569a63737bed06b59bc55523946933e77852dc0dfa6c7b6565910185859
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2001F77190E6CD5FE752EB6488653A87FA0EF09210F0605EBD059C60A3E92859448301
                                                                                                                                                                                                                                          Function 00007FFD9B3EAF99 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc396d27976e6b4fd03ce2707bd28d8c4909fe0a70a890766d16ae6ef89c333b
                                                                                                                                                                                                                                          • Instruction ID: 0ebfea75cafff412685d4a4b09a90e244d9c1f2dbce73f0a21bdb02572ecb973
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc396d27976e6b4fd03ce2707bd28d8c4909fe0a70a890766d16ae6ef89c333b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C301DC30A29B8E4FDB86EF6888680FD7FF0FF59200B0006EBD469C72A2DA7559158300
                                                                                                                                                                                                                                          Function 00007FFD9B3F4121 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 85957b0fee2b135bc474392ebfa2183c0777377e1552fe97a23f75491077759a
                                                                                                                                                                                                                                          • Instruction ID: 5dce10ab95d40ca4e818e1f2afc1deef164b2fc8bc18b1b38ff26918a7f6e775
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85957b0fee2b135bc474392ebfa2183c0777377e1552fe97a23f75491077759a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1F0C872A0D6CD0FF776DA6884613E57BA1EF55240F0501BFE04CD6192ED241A05C781
                                                                                                                                                                                                                                          Function 00007FFD9B3E25AB Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3b193816a0ea6fe34118a43ba13be1871376a160cdfe8b0aa526ebc0f2a7b011
                                                                                                                                                                                                                                          • Instruction ID: d7a75657e4c42bfac78d5d6cceb5472f55932582a3ee1a6ca7db9f736460c491
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b193816a0ea6fe34118a43ba13be1871376a160cdfe8b0aa526ebc0f2a7b011
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0701DA71B1951D8FDBA4EB9898997E9B3B1EB98300F0002EA904DE2191DE346981CF41
                                                                                                                                                                                                                                          Function 00007FFD9B3F0B02 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 943c628eb63b6b6343a3944b251ed12526147172053bf75fe2cdd0a2b84d8d23
                                                                                                                                                                                                                                          • Instruction ID: 912bf5dfe10b979914f830c979ecb29ee2392ae654ded4c7d25faf2e019e4796
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 943c628eb63b6b6343a3944b251ed12526147172053bf75fe2cdd0a2b84d8d23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58F0F42070E6CA1FE766EB7C84245A0BFE1EF45350B0E01EBC488CB1A7DE18E9848351
                                                                                                                                                                                                                                          Function 00007FFD9B3E9E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a7cc0d319252530d2a7f18bf451270b17140cafbbc9c7babc7bfa0c0f9c773ac
                                                                                                                                                                                                                                          • Instruction ID: 669dbb8cfaeb9ae5ad0cb450942e76bb707473db22bd70df5aa2223761f66f99
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7cc0d319252530d2a7f18bf451270b17140cafbbc9c7babc7bfa0c0f9c773ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63F05E52F1FA8E0FD666F26C28791AC1A829BD552078A02BBD548C72A6EC5959824382
                                                                                                                                                                                                                                          Function 00007FFD9B3F4F25 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2993832823ce5dab5c8ba675983aadf98174bde26ef4cacd709fadb2b824ed4b
                                                                                                                                                                                                                                          • Instruction ID: fdce2c7650418a8ae028ab28c09139e027a0920fcd299b8c932d8bde2d4d0654
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2993832823ce5dab5c8ba675983aadf98174bde26ef4cacd709fadb2b824ed4b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4F0E931B1AA4F0FE365EBADC5656E477D0FF18350B4502BED448C72A2EF18E9928780
                                                                                                                                                                                                                                          Function 00007FFD9B3E4DCF Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bad9b3d4f52958063c270515a7a45942c080410d9f367562f58b8f6fead3958c
                                                                                                                                                                                                                                          • Instruction ID: e80f0adb74634383f81ebf490e26813e6fee9b862a1623c64e5063f814b1bb79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bad9b3d4f52958063c270515a7a45942c080410d9f367562f58b8f6fead3958c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC01EC30E1551D8FDBA4EF68D8A0BACB7B1EF99304F5181BAD04DE3795CE7659818B00
                                                                                                                                                                                                                                          Function 00007FFD9B3E4B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fa36f6605b5ccab20af8765c744ace78cc0d3cd82d41011656dfab73e2f78262
                                                                                                                                                                                                                                          • Instruction ID: 7658dcc353b9993f8ff8e42956a932d51220542e3492dd8a7fc74a238384577f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa36f6605b5ccab20af8765c744ace78cc0d3cd82d41011656dfab73e2f78262
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB01D63090A68E8FDB54EF14D8612E97BA1FF59300F0204BEE44CC7592DA79E950C740
                                                                                                                                                                                                                                          Function 00007FFD9B3E9F88 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9b5fc4ab8fb90664cb04a48165d708408870221d4991f667e70a29ad499abdb8
                                                                                                                                                                                                                                          • Instruction ID: d1ed3f70577fb72b662013f2c9c99292a0cc88253d71b1285a5c52fc03027649
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b5fc4ab8fb90664cb04a48165d708408870221d4991f667e70a29ad499abdb8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6F05C12B1F8AF02F7A8B1BC24281F417C1CF9A264B0901B7F8CCC71EBEC586D814280
                                                                                                                                                                                                                                          Function 00007FFD9B3E3E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                                                                                                                                                          • Instruction ID: 548b24283f00ce8d36dc4d7243cf7251599fb750af4040b6411bf0b765d74a6d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F08C31D0560C8BD724AEA9E0003F9F7B4EF8A305F45103ED00CA2190C37A9695CB54
                                                                                                                                                                                                                                          Function 00007FFD9B3E5038 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c2ab63123cf87a3186033ff9478861c82032a797f2152611dfb1b5edfa3429b4
                                                                                                                                                                                                                                          • Instruction ID: 7e341a9eaa0bbb7d429311d13b9f946dcc072a421d8633f9fd75b4d2f526c1e9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2ab63123cf87a3186033ff9478861c82032a797f2152611dfb1b5edfa3429b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71F01D31F1592D8FDBA4EF589860BE8B372FB85311F4045BAE01DD3295CE356D858B41
                                                                                                                                                                                                                                          Function 00007FFD9B5F92B0 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 111f4c576757fd981e12fb9ae42ad56a984fc8b68ed4bcb366564cf106135f4a
                                                                                                                                                                                                                                          • Instruction ID: 7ee6c98aa4b3d3b3ae8554e16cb8ddefc11ce3db895b404654ccbdc80de22dc6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 111f4c576757fd981e12fb9ae42ad56a984fc8b68ed4bcb366564cf106135f4a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33F08232B1980D4FEF98E64CE860BF87392EB98364B010166D00DD3186CD22AD438781
                                                                                                                                                                                                                                          Function 00007FFD9B5F926D Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e0533534203a9c9c87e12358202282ddb3d3c1ba4d916666e76700879ccb65e1
                                                                                                                                                                                                                                          • Instruction ID: 0c32056dfca69f0538beb6f454cbef31ccb8f69142ae67298ff77c69af53bdad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0533534203a9c9c87e12358202282ddb3d3c1ba4d916666e76700879ccb65e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72F05E32B1880D4BEF94EB4CD861AF87392EB98368F450175D10DD728ADD25AD028781
                                                                                                                                                                                                                                          Function 00007FFD9B3E8691 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                                                                                                                                                          • Instruction ID: 2650eb45b02b4b1921ac93908ff1c5469885031a8d4d0c2a0377ef21ba89ee76
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EF0A930D4A60E8FC724EEA4E4403FDB2B4FB0A205F41223ED00CA2190C7BA9A94CB84
                                                                                                                                                                                                                                          Function 00007FFD9B3F2DE5 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ee93a157538191924a2796c61b79d9b3d1e03ee4751219d5f553bc4456bf8c3b
                                                                                                                                                                                                                                          • Instruction ID: edf73266284d83ed61ee7cf709aa4609b6e3f00ff3c2d13867046eccf7179aa8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee93a157538191924a2796c61b79d9b3d1e03ee4751219d5f553bc4456bf8c3b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0F02732B19D1D5BE9B4F66C9065ABA77D2EB84700F80047EE44DC22D4DD5838428380
                                                                                                                                                                                                                                          Function 00007FFD9B3E8CE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7f18dce410e4c0a13c2eb425277f00e39bdfb5091f7e933644abc922069b969c
                                                                                                                                                                                                                                          • Instruction ID: 7344b7ec9e5092d03c0d7013a332a2a54e6c94d4534653b115be3068422c4c4f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f18dce410e4c0a13c2eb425277f00e39bdfb5091f7e933644abc922069b969c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4F0A030C4660D8FCB24EE94A4003FDB2B4FB0A205F41223ED00CB2180D3799B98CB24
                                                                                                                                                                                                                                          Function 00007FFD9B3F8FB4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2ef2688c4dd9518b9e7037b0b9d89b07538083f1e4c4ce26bb945238696d6411
                                                                                                                                                                                                                                          • Instruction ID: d96103c2276b6eb8089ab94efd33e9c20d060f249bc916dba89a4f1e6d5ce7a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ef2688c4dd9518b9e7037b0b9d89b07538083f1e4c4ce26bb945238696d6411
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50F0242630EA8D8FEBA0DA48E4D8B64BBE2FF95310F4902B8C44CC7252C635EC05C381
                                                                                                                                                                                                                                          Function 00007FFD9B3E80DD Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b4ba7985db56a3fc0493a6d0979ec6c1e5bb07abf6d9dc7749465e6a83378ea7
                                                                                                                                                                                                                                          • Instruction ID: 2c48079e4739956a7a05cf39c5b9ff7ce5d366f98bf058a44f58ec2fcf23ec62
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4ba7985db56a3fc0493a6d0979ec6c1e5bb07abf6d9dc7749465e6a83378ea7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30F089B0E0965D9FDBB5EF6494253EA7291EB44300F0105BF900DE32D1DF755A44CB40
                                                                                                                                                                                                                                          Function 00007FFD9B5F3EDC Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2252958844.00007FFD9B5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5F0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b5f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                                                                                                                                                          • Instruction ID: 1ba66da530e29c64b9ec4ba20c769190c0de278c486d856668f1a5f42d304392
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9E0653170980E8FE6E1E61CE465B74B7E2FF98321B2201B6D00EC3662DE26EC414780
                                                                                                                                                                                                                                          Function 00007FFD9B3EBC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 73fc8ae6c22708c8b7592c7565218c49566a86697d929697524c4614a3681956
                                                                                                                                                                                                                                          • Instruction ID: cc52fdf9c62a8a5d7c99e40fcd7f036bc8648ac2beb144fbed60e328e6be1615
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73fc8ae6c22708c8b7592c7565218c49566a86697d929697524c4614a3681956
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DAF05475E2550D5BEB94F79888A5EAC73B2FFD8B40F414075E048E33A2DE296C41C701
                                                                                                                                                                                                                                          Function 00007FFD9B3F7781 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ef07418ba71dcc417e97abf6fce18692cad4b35bbbcf9e0aa751daf22940b741
                                                                                                                                                                                                                                          • Instruction ID: a32b467e541d4763bbe0388f2503e091555ca1c7c1f9711dba920f4541536f5f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef07418ba71dcc417e97abf6fce18692cad4b35bbbcf9e0aa751daf22940b741
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEE09205A1F9990FEB35A7A848256F03EA09F46100B0A01EAD0488A2A3D84D6A4A4391
                                                                                                                                                                                                                                          Function 00007FFD9B3E8EFB Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ecfc8a74304e23d4b73dfaa1d702b628a4aebdce6be3b3ab8715e2a5267e2332
                                                                                                                                                                                                                                          • Instruction ID: 40e3b2f500e75e826d05de650062bd1a6b740c4a54cea593439735337df9fd34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ecfc8a74304e23d4b73dfaa1d702b628a4aebdce6be3b3ab8715e2a5267e2332
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F0DF70E1992C8FDBA4EB98A8507ECB3B2FB59301F5041AAD00DE6291CB346A81CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3EAF5E Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f02aaa3021299f80fe9704985e27f8c1c84f7b0f962948d70dba8365e7fb2452
                                                                                                                                                                                                                                          • Instruction ID: a85cd66dbeacf647a542855c33efd2991c67ac8821349009306b2cb655b75590
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f02aaa3021299f80fe9704985e27f8c1c84f7b0f962948d70dba8365e7fb2452
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BE0268141FACC0FEB22A3B80C6A8903FA09E1311070C42FBC088CF1A3D40C610A8302
                                                                                                                                                                                                                                          Function 00007FFD9B3E8075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8468fe1e1ff76e3a9eef31e2a6be4d2c0d6f469ef6a9aadc177b2e795e344398
                                                                                                                                                                                                                                          • Instruction ID: fb2d092526a7112c4051149bc4022136f0860696172f294e096a993bc2efeac2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8468fe1e1ff76e3a9eef31e2a6be4d2c0d6f469ef6a9aadc177b2e795e344398
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81E0E531E1441C8ECB54EF68E851BECB7B1FF44205F4040BAE01CE3286CA7969818B00
                                                                                                                                                                                                                                          Function 00007FFD9B3F4190 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71f12b74848aad73503d9f4d5bd28855b41d46d53c0df62f5c17ce80b49b1101
                                                                                                                                                                                                                                          • Instruction ID: edaa2381485744a5b71ccb3da5d812e048a3bbed17fe898f09f9ac072a208ea6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71f12b74848aad73503d9f4d5bd28855b41d46d53c0df62f5c17ce80b49b1101
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CE09A71B1951D4EEB68EAA888657ACA7A1FF54354F50057E901DD3292CF3459428B40
                                                                                                                                                                                                                                          Function 00007FFD9B561A42 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2250515872.00007FFD9B560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b560000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0d090ed7b4125c2701ebdad741b3516539542c8ed1b0d469526bde484911a94a
                                                                                                                                                                                                                                          • Instruction ID: 44f1636215dec342880e9b0c6561d9a2f9548f91c3bf731eb569ed6e37bb48ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d090ed7b4125c2701ebdad741b3516539542c8ed1b0d469526bde484911a94a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2D01232B0944E8ADF559668A0546ECFBE1DFD9126B5541B6D04DC3142DB3156524780
                                                                                                                                                                                                                                          Function 00007FFD9B3F2993 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d643327f8ed3088cefd99a01526bf00d37693a6cc7eca3956d5849068441945e
                                                                                                                                                                                                                                          • Instruction ID: e46881916ef9f5a25fa47a40ef57b3a0e0f44e84d6396ffab009c19fb79528d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d643327f8ed3088cefd99a01526bf00d37693a6cc7eca3956d5849068441945e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78D05E306092414FCB58AF28A080C80B790EF1221835509E8E0158B1E7C52ADC86CB01
                                                                                                                                                                                                                                          Function 00007FFD9B3EAAE0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 752b1db686eb01bad32f78b5e254a2c3e3bc85846cc114dbff7acf1c7bdcc19a
                                                                                                                                                                                                                                          • Instruction ID: ce0dd545af57d3fb7a78dca4444ae7722a9eab892dd0c07ff0997ae6387a264b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 752b1db686eb01bad32f78b5e254a2c3e3bc85846cc114dbff7acf1c7bdcc19a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8DC08C20A3590D8BC728F76848810587690FF08200FC001F8E00CC2284D66D91504705
                                                                                                                                                                                                                                          Function 00007FFD9B3E5D2A Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ca1fccf636f8473abcabc9b034a6669d1c9fcd1e7abd60ec8c12c7ee55b97163
                                                                                                                                                                                                                                          • Instruction ID: eddcfcdf03ef274f6730389408f35dbf055f50387f31183ee17aca96cb558927
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca1fccf636f8473abcabc9b034a6669d1c9fcd1e7abd60ec8c12c7ee55b97163
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2C09B62E0991D4FFBD4DA5C449C5EDABE1FFB4254B010126D008D3154DF2064015780
                                                                                                                                                                                                                                          Function 00007FFD9B3E81AE Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2246711757.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f6ebbfe028e6490d3c40f31c3f692e701df3b6f73c7005890f3d6d07f13aa915
                                                                                                                                                                                                                                          • Instruction ID: 123c75485af4892504716b3d17f3e1a9434e633e930ee13beb6d8bf060708563
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6ebbfe028e6490d3c40f31c3f692e701df3b6f73c7005890f3d6d07f13aa915
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22C09BF990765CDFD7829A75582C75575D05B25209F1800DF444DD71D2D63449454740